Are you statically assigning dns? Your dhcp pool doesn't have anything listed for it. If you're needing to get it from dhcp, you can add the following:

ip dhcp

dns-server

I can resolve DNS names from the clients.

I also have DNS servers defined in config

ip name-server 24.92.226.11

ip name-server 24.92.226.12

When I run "debug ip nat detailed", I see the following. The client is 192.168.2.151. It is using a static IP and static default gateway (which is the Cisco 2901 router) and static DNS (which is the Cisco 2901 router). The router is acting as the DNS server for the clients.

001080: Mar 12 21:34:36.089 EDT: NAT: map match SDM_RMAP_1

001081: Mar 12 21:34:36.089 EDT:  mapping pointer available mapping:0

001082: Mar 12 21:34:36.089 EDT: NAT: [0] Allocated Port for 192.168.2.151 -> 208.105.101.191: wanted 51603 got 51603

001083: Mar 12 21:34:36.089 EDT: NAT*: i: tcp (192.168.2.151, 51603) -> (204.160.125.126, 80) [20305]

001084: Mar 12 21:34:36.089 EDT: NAT*: i: tcp (192.168.2.151, 51603) -> (204.160.125.126, 80) [20305]

001085: Mar 12 21:34:36.089 EDT: NAT*: s=192.168.2.151->208.105.101.191, d=204.160.125.126 [20305]

001086: Mar 12 21:34:36.117 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.160.125.126(80) -> 208.105.101.191(51603), 1 packet

001087: Mar 12 21:34:36.341 EDT: NAT: map match SDM_RMAP_1

001088: Mar 12 21:34:36.341 EDT:  mapping pointer available mapping:0

001089: Mar 12 21:34:36.341 EDT: NAT: [0] Allocated Port for 192.168.2.151 -> 208.105.101.191: wanted 51604 got 51604

001090: Mar 12 21:34:36.341 EDT: NAT*: i: tcp (192.168.2.151, 51604) -> (98.139.127.62, 80) [20308]

001091: Mar 12 21:34:36.341 EDT: NAT*: i: tcp (192.168.2.151, 51604) -> (98.139.127.62, 80) [20308]

001092: Mar 12 21:34:36.341 EDT: NAT*: s=192.168.2.151->208.105.101.191, d=98.139.127.62 [20308]

001093: Mar 12 21:34:37.333 EDT: NAT: expiring 208.105.101.191 (192.168.2.151) tcp 51585 (51585)

001094: Mar 12 21:34:37.333 EDT: NAT-SymDB: DB is either not enabled or not initiated.

001095: Mar 12 21:34:37.453 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 199.7.50.72(80) -> 208.105.101.191(51571), 1 packet

001096: Mar 12 21:34:38.357 EDT: NAT: expiring 208.105.101.191 (192.168.2.151) tcp 51586 (51586)

001097: Mar 12 21:34:38.357 EDT: NAT-SymDB: DB is either not enabled or not initiated.

001098: Mar 12 21:34:38.869 EDT: NAT: expiring 208.105.101.191 (192.168.2.191) tcp 743 (743)

001099: Mar 12 21:34:38.869 EDT: NAT-SymDB: DB is either not enabled or not initiated.

001100: Mar 12 21:34:38.869 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 217.156.169.160(80) -> 208.105.101.191(51578), 1 packet

What is "NAT-SymDB: DB is either not enabled or not initiated." and why is NAT: expiring?

Hi mate, bit late to the discussion but thought I'd chime in for anyone else with a similar problem!

I don't think the problem is with NAT-SymDB, your NAT is working and the translations are happening and traffic is being fired off, but more with ACL 103 which is applied to your outside internet port (G0/0) and appears to be blocking all your return traffic.

Your own debug log points to that:

%SEC-6-IPACCESSLOGP: list 103 denied tcp 204.160.125.126(80) -> 208.105.101.191(51603), 1 packet

%SEC-6-IPACCESSLOGP: list 103 denied tcp 199.7.50.72(80) -> 208.105.101.191(51571), 1 packet

%SEC-6-IPACCESSLOGP: list 103 denied  tcp 217.156.169.160(80) -> 208.105.101.191(51578), 1 packet

If you look, these are all coming from SOURCE port 80, so are probably the SYN, ACK responses from your initial packets getting slammed face first into ACL 103.

The Sym-DB errors and the Expiry are probably due to this - because there is no SYN, ACK response within a specific time period the router is removing the translation as it never established a session.

Hope this helps if you are still stuck with this mate, but fingers crossed you cracked it first!

Cheers, Karlos.