Here is the way I would do it - see attached net diagram. Your router to the I'net must have a public IP address.
If you have enough addresses - you could put a public on the inside interface of your interface, one on each server, and one on the outside (not inside your network) of your firewall. This would be 5 addresses.
You could use the same setup but have the I'net router perform NAT (Network Address Translation). I would still use two different networks - a DMZ and a Inside Network.
If the DMZ - De Militarized Zone this is the area where you maintain web servers that are accessible from the I'net. They must be "hardened" because they are not protected by a firewall or if they are, it's not as "tight" as the firewall protecting your inside network.
Firewall - a firewall is a smart Layer 4 switch/router. It has the ability to open up a packet and inspect the contents. If the contents aren't allowed, they're discarded. Think of it as the postal inspector or the mail processing people in a prison. They will open the envelopes (packets) and inspect their contents. Maybe Prisoner Jones is only allowed mail (SMTP) and Prisoner Smith is allowed mail and care packages. The mail processing people will look at what it is and who it's for and consult their rules and if it's allowed, will pass it through. If not, they might just drop it, or they might pass along an alert to the Warden!
An Excellent short movie explaining all of this can be found at:
http://www.warriorsofthe.net/clips.html
Inside your network, I would definitely have the Firewall be performing NAT - for added security and to give you the ability to add more machines whenever you wanted to.
Additionally, when you're setting up NAT - consider using "private" addresses internally. These are special address ranges which aren't routeable on the internet. This will give you a little bit of "added" security.
HTH