So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?

Yeah, that's not going to work.

There's no good reason for it not to work beyond "people who write NATs don't bother to implement that case". You'll need to run two DNS servers, one for your internal clients so that they can get the internal IP addresses for your hostnames and one for the rest of the world.

Alternately, you could look for NAT software that implements that case properly, but they're few and far between, if they exist at all, and if they do, I don't know which they are.

Or is the firewall and the webserver the same machine? If that's the case, it should work, but you may be hitting on the problem above. If so, you should be able to reconfigure your firewall to not NAT when going to the globally routed addresses that are on the NAT machine.