This problem actually stems from an incorrectly configured DNS server - or you are using public DNS servers.
I have run into this a couple of times in my travels and there is only one real solution - configure DNS to provide the real IP address of the servers in the DMZ to the internal users. In short, internal DNS should provide the private address for DMZ servers.
Actually I think the DNS keyword is used when the inside users are using a DNS server in the DMZ. When the DNS server is on the outside and the web server is in the DMZ the dns keyword does not perform the functions you are thinking of. This is because the DNS lookups are not traveling in the same direction as the static commands.
Best fix is to start hosting your own internal DNS with A records for the DMZ servers. This easy to do as you probably have A windows 2000 server runnning DHCP. Just enable DNS and point your PCs to this DNS server. Also put the root servers in the DNS server. This will also make lookups faster because frequently accessed domains will be cached on the local DNS server.
Worst case scenario - host files on the inside network. yuck.
In my experience I have seen that the "static ... dns" command works very well with PixOS 7, maybe better then in previous releases.
You have to remove both the "alias (inside)" and the "static (dmz,inside).." lines, and modify the static nat statement for publishing the DMZ server outside as follows:
static (dmz,outside) 62.x.x.x 192.168.0.100 dns
This is already needed for publishing in internet your server and is all what you need. As you can read in documentation, when the PIX detects a DNS query to an external DNS server related to a static with dns, it translates the A record in the answer to match the internal IP address of the server. This works wherever the inside server and the inside client are, they can be connected to different internal interfaces.
Obviously your internal clients will resolve the server name to its internal private address, but I believe this shouldn't be a problem.
I often use such a configuration with no problem. Try and let me know if I could help you.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :