for normal internet users what do I need to let back in ? do pix's use cbac ?

If users are browsing the internet from your internal network, you don't need to allow any special ports inbound. Since you are hosting a web server, you need an access-list entry that reads like this:

access-list 101 permit tcp any interface outside eq 80

You also need a static entry:

static (in, out) tcp [outside-ip-address] 80 [server-ip-address] 80 netmask 255.255.255.255

Hope this helps

so your saying on my pc at home I dont need any access lists, wouldnt this allow people to connect to my pc, surely I would need to just allow established connections ?

That is the access-list. You don't need an outbound access-list, unless you want to block certain traffic from leaving your network. Place that inbound access-list allowing port 80 on the outside interface of your PIX. I believe there's an implied deny ip any any at the end of every access-list. However, you could add in a deny ip any any to the end. Just follow that same syntax for any other ports you may want to allow through. I am assuming that your PC is behind the PIX. The PIX shouldn't block connections that are established by your PC to the internet.

Hope this helps.

Chris

How does the pix know what connections are established ? does the pix use cbac for this ? and can you give me an example of the access list wheres im not hosting any servers ?