I have my Aruba 7005 controller running 8.4.x set up as router connected directly to my cable modem. I have port forwarding enabled after following a few other posts (1, 2, 3). Everything works well except one issue. Devices with internal IPs aren't being port forwarded when trying to communicate with the public port-forwarded host/IP. External traffic work wells and does get port-forwarded OK.
To explain futher, I have set up a public hostname for my public IP, grimace.dyndns.biz. I have a local service running on my network (192.168.1.51 with port 9443) that I want to serve to the internet. Traffic from the internet can successfully communicate with grimace.dyndns.biz:9443. But other devices internal to the network cannot. i.e. My laptop with 192.168.1.22 can't communicate with grimace.dyndns.biz:9443.
Here's my relevant config:
ip dhcp pool local
default-router 192.168.1.1
dns-server import
domain-name grimace.dyndns.biz
network 192.168.1.0 255.255.255.0
interface vlan 1
ip address 192.168.1.1 255.255.255.0
ip nat inside
# VLAN connected to my cable modem
interface vlan 100
ip address dhcp-client
ip nat outside
ip access-list session controller-uplink-acl
any any svc-dhcp permit
any any tcp 9443 dst-nat ip 192.168.1.51 9443 log
any any any deny log
interface gigabitethernet 0/0/0
ip access-group session "controller-uplink-acl"
switchport access vlan 100
firewall cp
ipv6 deny any proto 0 ports 0 65535
ipv4 permit any proto 6 ports 9443 9443
I ran a packet capture on the 192.168.1.51 server and got no hits when making the internal request. On the controller session datapath, it just shows a `YC` error. In these logs, note that grimace.dyndns.biz resolves to 24.4.39.46 (not in real world but obfuscated for privacy).
show datapath session table | include 9443
192.168.1.22 24.4.39.46 6 61501 9443 1/0 0 24 0 0/0/1 3 1 64 YC 6
24.4.39.46 192.168.1.22 6 9443 61501 0/0 0 24 0 0/0/1 3 1 40 F
What am I missing? Some sort of additional routing config? IP natting issue?