spent a day and looking and trying dozens of suggestions posted by other threads on this issue. this is the only solution that worked. Basically it's the only solution that suggested using Static NAT. I finally realised I wasn't forwarding the data ports but only the initial connection port. Other threads are even saying you didn't need to forward those data ports because ALG takes care of that??
Very misleading. Once again, thanks very much for this advice. Static NAT is the winner here! (for me anyway haha).