You mention that you have source NAT on VLAN 999 and that is your public IP. You don't want source NAT enabled on your public interface; you want it enabled on your other internal VLANs.
My gateway is a 3200XM as well. Relevant portions of config:
interface vlan 192
ip address 192.168.13.254 255.255.255.0
ip nat inside
description "home-net"
!
interface vlan 470
ip address dhcp-client
description "xfinity-vlan"
!
interface gigabitethernet 1/3
description "xfinity-uplink"
trusted
trusted vlan 1-4094
ip access-group "XFINITY-LINK-ACL" session
switchport access vlan 470
!
ip default-gateway import dhcp
!
ip access-list session XFINITY-LINK-ACL
any any svc-dhcp permit
any any any deny