Hi Georg,
they're actually trying to connect to X.Y.W.Z, address which is given them by the Dynamic DNS.
I'm pretty sure Internal servers allow connections because they're actually reachable from inside the LAN with their private IPs and also I could connect them from outside when I had the previous router (Cisco RV134W), so this is the reason because I'm wondering about the nat or ACL configuration on the 1113-8p...

Hello
First of all please remove that address, you dont want to share pubic addressing to your network on public forums,

Lastly I have just tried conecting to that address on port 80/81 and its connected so it looks like you natting is fine, maybe the dns entrys your people are using is incorrect.

Hello,

odd indeed. Try and add the lines in bold to your dialer interface and configuration, not sure if that makes a difference:

interface Dialer1
--> mtu 1492
ip address negotiated
--> no ip redirects
--> no ip unreachables
--> no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
--> dialer-group 1
--> ip tcp adjust-mss 1452
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept

!

--> dialer-list 1 protocol ip permit

Hi Georg,
I tried to do what you said but unfortunately the behaviour hasn't changed.
As Paul wrote before, the external interface is reachable and its ports are opened. But I don't know why the packets, once reached the external port, aren't submitted at the internal device's port...

If you've any other suggestion, I can try!
Thanks in advance!

Hi guys,
I don't know if this could be a useful information for you to help me, but this is the result of
show ip nat translations
command (I masked my actual public IP with XX.YY.WW.ZZ):

Pro Inside global Inside local Outside local Outside global
tcp XX.YY.WW.ZZ:80 192.168.178.109:80 --- ---
udp XX.YY.WW.ZZ:80 192.168.178.109:80 --- ---
tcp XX.YY.WW.ZZ:443 192.168.178.109:443 --- ---
udp XX.YY.WW.ZZ:443 192.168.178.109:443 --- ---
tcp XX.YY.WW.ZZ:81 192.168.178.200:81 --- ---
udp XX.YY.WW.ZZ:81 192.168.178.200:81 --- ---
udp XX.YY.WW.ZZ:5060 192.168.178.200:5060 --- ---
tcp XX.YY.WW.ZZ:10368 192.168.178.13:39480 216.58.208.168:443 216.58.208.168:443
tcp XX.YY.WW.ZZ:10565 192.168.178.4:60925 64.233.167.188:5228 64.233.167.188:5228
tcp XX.YY.WW.ZZ:6363 192.168.178.3:53652 151.99.109.59:443 151.99.109.59:443
tcp XX.YY.WW.ZZ:9863 192.168.178.10:57214 216.58.208.163:443 216.58.208.163:443
tcp XX.YY.WW.ZZ:11046 192.168.178.3:51667 156.54.225.18:80 156.54.225.18:80
tcp XX.YY.WW.ZZ:5675 192.168.178.9:38092 31.13.86.52:443 31.13.86.52:443
tcp XX.YY.WW.ZZ:11121 192.168.178.9:34690 31.13.86.34:443 31.13.86.34:443

I even tried changing the access-list to permit any, but it didn't work...

Hi Paul,
and thank you for your kind reply.
The external hosts are using Google DNS, 8.8.8.8 to be exact, so it seems they're ok but tell me if I can check some more.

I also tried to configure what you suggested, but the scenario hasn't changed... still unable to access from outside. I'm open to any test if you've other solutions!

Thanks in advance!

Hello

Just to confirm these external hosts are indeed external from your local network ,What I mean is that they are not internal hosts trying to connect to an internal web server via its public natted address correct?

Also can you access this internal web server internally via it internal ip address or hostname, Do you have a successful connection.

Hi Paul,
yes for both your assumptions: the external hosts are completely outside my LAN, they're mobile devices with their own 4G connections. And yes, I can access the two servers through their private ip / ports.

Hello
Can you remove the static UDP nat statements and then post the config of the router again please.

On a external client perform a dns lookup and see if the FQDN resloves to your public ip routers address  and try accessi ng the web server via the public ip addreess instead

nslookup
>mywebserver.com

Do your internal clients access the internet via nat okay?

Hi Paul,
the nslookup from the external client shows this (I masked FQDN and public IP address):

Server: n1-43-168-192.mas2.nsw.optusnet.com.au
Address: 192.168.43.1

Non-authoritative answer:
Nome: <FQDN>
Address: X.Y.W.Z

I can confirm I can't access the webservers neither from the FQDN nor the public ip address (ERR_CONNECTION_REFUSED in both cases) and also the hosts of my LAN have no problem accessing the Internet.

And this is my actual complete running-config, where I cut off the static nat part (according to your request) and the certificate part (just to keep it shorter):

Building configuration...


Current configuration : 7876 bytes
!
! Last configuration change at 21:32:27 UTC Sat Feb 8 2020
!
version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip name-server 192.168.178.1
ip dhcp excluded-address 192.168.178.1 192.168.178.2
ip dhcp excluded-address 192.168.178.109
ip dhcp excluded-address 192.168.178.110
ip dhcp excluded-address 192.168.178.25
ip dhcp excluded-address 192.168.178.30
ip dhcp excluded-address 192.168.178.38
ip dhcp excluded-address 192.168.178.200
!
ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1842956524
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1842956524
revocation-check none
rsakeypair TP-self-signed-1842956524
!
!
crypto pki certificate chain SLA-TrustPoint
<----omitted---->
!
license udi pid C1113-8P sn FCZ2343C2X0
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
no ip address
no negotiation auto
!
interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
ip address 192.168.178.1 255.255.255.0
ip nat inside
!
interface Dialer0
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip http secure-port 8080
ip nat translation udp-timeout 600
ip nat translation max-entries 40000
<----------omitted------------->
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 100 deny ip host 192.168.178.109 any
access-list 100 deny ip host 192.168.178.200 any
access-list 100 permit ip 192.168.178.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end

...just want to say you I really appreciate your interest and help, btw!

Hello,

just looking at the last configuration you posted:

interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside --> change this to 'ip nat outside'
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly

Not sure what difference that makes. In any case, also leave the 'mtu 1492' on the dialer interface...