This is a weird one to me. Looks like there is a certain pecking order to how the PIX handles requests when it comes to VPN's.
2007-01-24 11:44:19 Local4.Error 10.200.89.1 Jan 24 2007 11:44:20: %PIX-3-305005: No translation group found for tcp src newoutside:10.40.10.14/1070 dst DMZ:10.200.84.15/80
The 10.40.10.x network is at a remote site, that VPN's back to the PIX. The server they are trying to reach is in the DMZ. There is a static translation on the PIX:
static (DMZ,newoutside) 159.87.xx.xx 10.200.84.15 netmask 255.255.255.255
They are doing DNS querries to our inhouse DNS box. So it is pointing them into the DMZ for this IP if they were to goto the box. If they looked up the name outside of our network then it would be the public IP, but you cant get to the public IP from the inside. They have to have DNS access to our servers for lookups, so how exactly do you get around this?