I might be mistaken here, but in your mwf's when you are authoring the layers you have to specify the path to the mapagent. I think if you use the internal IP address for the URL then the internal access should work without the host name involved. When the external request comes in the public IP will get redirected to the internal IP at the firewall so it should resolve.
Give that a try and let me know if that works,
Regards,
Dave