How to NAT/route/portforward from a cable router (C7800?)

> [...] a cable modem/router on XFinity, [...]

> [...] The existing comcast device [...]

   To be clear, you're asking on a Netgear forum about some
(unspecified) Comcast-supplied device?

> [...] set up SSLVPN access to my local network [...]

   I don't know enough about your (unspecified) "SSLVPN".

> [...] - provided by a firewall [...]

   Nor about your (unspecified) "a firewall".

> [...] plugged into the comcast cable router

   Nor about your (unspecified) "the comcast cable router", but I might
be able to make some better guesses about that.

> [...] I put in [externalIP]:4433 (the correct port number), [...]

   "put in" _where_?  What, exactly, are you doing, with what, where?

> [...] but never get connected to my LAN the way I did when the
> firewall had a static public IP address. [...]

   Now that we know what does _not_ happen, ...

   Presumably, your (unspecified) "the comcast cable router" does NAT,
so that if you want to make an incoming connection to a device on its
LAN (like, say, your (unspecified) "my firewall WAN port"), then you'd
want something like a port-forwarding rule on "the comcast cable router"
to enable that.

> [...] I tried several different ways to set up a NAT rule [...]

   Assuming that "NAT rule" is your name for a port-forwarding rule, how
many of those "several different ways" do you think that the
non-psychics in your audience can assess based on that that information?

> [...] but nothing worked.

   "not work" is not a useful problem description.  It does not say what
you did.  It does not say what happened when you did it.  As usual,
showing actual actions (commands) with their actual results (error
messages, LED indicators, ...) can be more helpful than vague
descriptions or interpretations.

   Knowing nothing, if your (unspecified) "my firewall" uses port 4433,
then I'd expect a rule like the following to do the job:

      External Port   Internal Port   Internal IP Address
           4433            4433           10.0.0.18

   Presumably, you could test this stuff from a system on the LAN of
your (unspecified) "the comcast cable router", using the (LAN) IP
address of your (unspecified) "my firewall WAN port".

   If your (unspecified) "the comcast cable router" does NAT loopback,
then it should be possible to use the (external/public?) IP address of
the WAN/Internet interface of "the comcast cable router", which would
exercise the port-forwarding rule.

   But what do I know about your (unspecified) "the comcast cable
router", or any of the rest of this stuff?

   Possibly interesting (the usual problems with port forwarding):

      https://community.netgear.com/t5/x/x/m-p/1859106

> [...] Can I do that with a Netgear cable router?

   I'd guess that the port-forwarding capabilities of a Netgear Cxxxx
model wouldn't differ greatly from those of an (unspecified) "the
comcast cable router".  But what do I know?