Its normal practice to employ anti-spoofing at the firewall, this means that addresses that appear to originate from inside the firewall will be rejected at the external interface. Hackers try to spoof internal LAN addys so that they can gain a level of trust which wouldn't be granted to an external address. It did also occur to me that perhaps your DNS wasn't set up to the world and only your LAN can resolve the server (because it is your primary DNS server). If you use the website internally you may need to employ a script to update your clients HOSTS file so that when internal addresses look up your.website.com the HOSTS file directs them to 192.168.internal.address (whatever yours is) rather than the external interface which will block you, host headers will work as normal. I can provide you with an example script to modify if you need it.