This all depends on what interface your internal users and your DNS servers are on. First off put the global address of the web server in your DNS server, that way external users will work fine.
Going by your static's your DNS server is on the inside interface, and presumably so are your internal users. Because both the users and the DNS server are on the same interface, the "dns" option on the statics won't work, this only works if the PIX sees a DNS reply come through it, which it never will because the users and the DNS server are co-located.
To get this to work you need to configure destination-NAT, where the PIX will change the destination of the packet as it goes through it. Your internal users will do a DNS query for your web server, the DNS server will return the global address, and the PC will then attempt to connect to that address. When the PIX sees this address it changes it to the local address and sends it to the DMZ interface. The command to do this is as follows:
Note the interface names are swapped around from a "normal" static ((lower,higher) instead of (higher,lower)). This tells the PIX that if it sees a packet on the inside interface destined for d.d.d.12, change the destination to WebServer (b.b.b.3) and send it to the DMZ1 interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :