Ohhhh boy your in for a bumpy ride, but hold on because it's worth it... I've been dealing with exactly the same problem for some time now, and I just managed to resolve it a couple days ago and get everything working as it should.
First, you should be using private IP addresses on the inside (something like 10.0.0.x/24, or whatever you choose). Then you just put staic NAT entries in your PIX that translate each server's public IP address to it's internal address. Don't forget to open up whatever you need open in ACL's (only using the EXTERNAL IP address, you don't need to use the internal IP on the "outside" interface).
Next, go to your cPanel box and remove ALL PUBLIC IP'S!!! Only use the internal IP addresses. If your like me, you'll have to go through and reassign IP addresses to your accounts on the cPanel box so they are using the internal. When its all said and done, you should be able to grep in your zone file directory and not have any external IP addresses, and look in your httpd.conf and see no external IP's (to do this, `cd` into your zone file dir and type `grep -R 216 *` whereas one of your IP's starts with 216... of course, change it to whatever your external IPs are). If you see any zones that still have external IPs, you must change them to the approiate translated internal IP address.
So, at this point, you should be able to use dig (or nslookup) directly at your cPanel box and query it for a domain that's hosted on it and have the internal IP address returned, even from outside your network. Obviously, you can't leave it like that, so here is the magic workaround.
So, to translate your DNS responses, you'll need to do both of the following (assuming your inside interface is called "inside" and outside called "outside"):
alias (outside) 18.104.22.168 10.0.0.1 255.255.255.255
alias (inside) 10.0.0.1 22.214.171.124 255.255.255.255
So, this does two things: the first command changes any DNS response that comes THROUGH the firewall from the outside with the IP 126.96.36.199 to the internal IP of 10.0.0.1. Also, the second command does the same in the oppsite direction.
Now with this in place, you should be able use dig (or nslookup) and get the external IP from outside the firewall, but hit the server directly from inside your network and get the internal IP (since that's whats really in the zone).
I'm afraid that I didn't do too great of a job at being very clear about how to get this working, but it does work. If you want to chat on IM, just PM me and I'll help you out. It really does work...really...
papi: The problem isn't with the firewall... in fact, we're lucky the PIX even does what it does... the problem is with cPanel not being aware of it really having two different IP addresses for each IP (one internal, and the real public one).... so getting something like a Netscreen would most likely make matters worse...
err somehow I dont think hardware firewalls are that much of a pain in the *** to set up. I've never heard of anyone going through so much crap to install a hardware firewall in their rack and have any problems with cpanel boxes behind it..
Again, the problem isn't with the firewall, it's cPanel (actually, it's the way cPanel sets up the virtual hosts and DNS zones... it needs to use the public IP addresses for DNS, but the private IPs for the virtual host configuration, and as I said it isn't aware of both).
Internal requests get handled by your internal DNS server, so it natuarally gets the internal addresses. External requests must pass through the firewall so they get modified with the correct external addresses.