On Thu, 14 Apr 2005, John Meier wrote: > If I had an extra external IP address and reserved it for the web server > (and set up an A record using that IP and a really cool host name), could > the PIX take traffic going to that extra IP and forward just traffic on port > 80 to the web server at 10.1.1.115 <http://10.1.1.115> ? You technically don't even need another IP address - as long as port 80 on the external address isn't already being forwarded somewhere, you could just use that. You're looking at something like: static (inside,outside) your.public.ip webserver.private.ip netmask \ 255.255.255.255 0 0 conduit permit tcp host your.public.ip eq www any (This is assuming that you aren't already mapping your public IP to a different internal IP for some other service) I think that's it, it's from memory and I haven't touched one in a few months. It's also assuming that the existing config is relatively sane and complete. > I'm looking at the Command line interface guide for the PIX and it's > thick.... :) just knowing this can be done will give me the courage to dive > in!!! Yes, it's very ugly.