NAT is not enabled on the firewall; literally the only device connected to the interior network right now is that firewall. I am using that firewall to test ping through the router, and that is where I'm coming from when I say that there is no connectivity between the interior network and the internet. I have at times replaced that firewall with a single computer, which demonstrates the exact same symptoms. For all intents and purposes, assume the firewall is simply a single computer at this time.

Hello

Fyi i didn’t say nat on the fw i was referring to any fw features on the rtr or the firewall itself is negating connection due to having fw polices enabled anyhow if you say a single computer doesn't work when its directly attached can you please post the whole present configuration of that rtr -if applicable.(attach it in a file to your OP)

Also any luck on that debug output ?

As I said, I don't really know how to check any firewall features on the router, or even what to look for. I added the "nat" lines to the config because that's what someone somewhere else suggested to try maybe five years ago, and it seemed like maybe it'd work.

Literally the only configuration on the router, at least as far as I'm aware, is what was posted in the original post, with the added lines noted elsewhere regarding the ip route and the ip nat inside source list bit. That *is* the whole present configuration of that router.

Hello
As your reluctant to supply an update of the current running configuration of the rtr, the output of the nat translation table or requested debugs this is proving difficulty help you solve your problem.

The reason why Im requesting these things is to make sure you don’t have any conflicting commands negating connection, errors being reported or you have misconfiguration applied you’re not aware.

What I think you need to do here is:
1) erase the routers existing configuration and reload it
2) disconnect the none cisco fw that’s connecting to the lan interface of the rtr and attach a single host with a valid ip/subnet mask /default-gateway of the internal lan subnet
3) apply the following configuration and test connection again from the lan host.

write erase
reload

after reload but do not hardcode the physical interfaces:
conf t
ip routing
int gig0/0/0
description
no shut
ip address 174.x.x.x. 255.255.255.0
ip nat outside

int gig0/0/1
description Lan
ip address x.x.x.y 255.255.255.0
ip nat inside

access-list 1 permit x.x.x.y 0.0.0.255  <lan subnet>
ip nat inside source-list 1 interface gig0/0/0

ip route 0.0.0.0 0.0.0.0 gig0/0/0 174.x.x.x < wan next hop>

It's not that I'm reluctant to post the running config, it's that literally nothing has changed from what has already been posted (and I'm fairly certain I already posted the NAT translation table, but if I haven't, I might not know how to obtain it). But if you insist on this exercise in futility, here:

#show running-config
Building configuration...

Current configuration : 2126 bytes
!
! Last configuration change at 15:12:44 MST Sat Mar 13 2021
!
version 15.5
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.03.S.155-2.S3-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password 7 XXX
!
no aaa new-model
clock timezone MST -7 0
clock summer-time MDT recurring
no ip source-route
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid XXX
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Ethernet Link to WAN
ip address 174.xxx.xxx.2 255.255.255.0
ip nat outside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Connection to LAN
ip address yyy.yyy.yyy.yyy 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 174.xxx.xxx.1
!
!
access-list 1 permit yyy.yyy.yyy.0 0.0.0.255
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
password 7 XXX
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 XXX
login
transport input none
!
ntp server 192.5.41.40
!
end

The rest of what you've asked me to do will have to wait, as I'm not actually at the office right now.

“But if you insist on this exercise in futility”
Why would you state such a comment to people who use their own time willing to assist you!

Please remember these forums are here for all to assist/learn and share networking experiences none of us deserve to receive such comments-

Feel free to take your issue somewhere else if you think its futile in what we ask for you to do so to seek a resolution for a problem you clearly cannot resolve by your self.

I made that comment because you continued to insist upon seeing something that was already plainly visible in the original post. THAT was the exercise in futility, posting something that *had not changed*.

I do 100% believe that the issue is something in the config, and clearly I don't know what it is. But we spent a whole day going around about IPs because y'all wouldn't listen to me about those either. Forgive me if I'm a bit tired of this.

I have several points:

- if what you need at this point is a test that demonstrates that the router config will provide Internet access then we want to keep the test as simple as possible. Do not test with the firewall connected to the router but test with a single computer connected to the router.

- if you do test with a single computer make sure that the computer has a correct IP address for the subnet, a correct subnet mask, and that its default gateway is the IP address of the router interface.

- start the test by making sure that the computer can ping the connected inside interface of the router.

- then test making sure that the computer can ping the router outside interface.

- then test to see if the computer can access Internet resources using IP address for the destination.

- then test to see if the computer can access Internet resources using names which would require DNS resolution.

- the running config in your recent post has a number of elements that were not in the config of your original post. Those elements are probably not significant in and of themselves. But seeing them gives us a sense that we are seeing all of the config and that sense was noticeably absent about your original post.

- there is not any default firewall on the ISR router. Any firewall function found on an ISR router is the result of user configuration. If the config posted is complete and accurate then there is no firewall active on your ISR.

To provide access to the Internet on a router connected to an ISP on the outside and the enterprise network on the inside these conditions must be met:

- the router outside interface must have a correct IP address and subnet mask. (might be manually configured or might be learned via DHCP)

- the router outside interface must successfully send traffic to the ISP and receive traffic from the ISP (can the router ping the ISP address?).

- the router must have a correct default route. That default route might be manually configured or might be dynamically learned (if there is a dynamic routing protocol running between the router and the ISP, or if the router learns its IP address via DHCP). If manually configured the syntax of the default route might vary depending on whether the IP address of the interface is manually configured or is learned via DHCP.

- the router must be correctly configured to perform address translation for any traffic originated from the inside network and attempting to access the Internet.

- devices connected on the inside network must have correct IP address and subnet mask and must have a default gateway or other routing logic to assure that traffic from the device and attempting to access the Internet is forwarded to the router and received on its inside interface.

For your test with a single computer connected to the router I would suggest these steps:

- on the computer does the content of its arp table contain the mac address of the router?

- on the router does the output of show arp contain the mac address of the computer?

- can the computer ping the inside interface of the router?

- can the computer ping the outside interface of the router?

- can the computer ping the ISP interface connected to the router?

- can the computer ping 8.8.8.8?

- can the computer ping some Internet resource using its name?

Okay so, regarding those tests:

1. We do see the address of the router on the computer's ARP table.

2. The router's ARP table also displays the computer's address.

3. The computer can ping the inside interface of the router.

4. The computer cannot ping the outside interface of the router.

5. The computer cannot ping the ISP interface connected to the router.

6. The computer cannot ping 8.8.8.8.

7. The computer cannot ping some internet resource using its name.

Additionally, because it was brought up elsewhere, the router is able to ping external IP addresses from both its external and internal port, and it is also able to ping internal addresses (in this case, the one computer) from both its internal and external port.

Thank you for executing the tests and posting the results. It appears that the computer can access resources that are local (in the same subnet) but can not access resources that are remote. This is most often a sign of an incorrect default gateway configured on the computer. Can you post the output of ipconfig (or similar command if computer is not Windows)? Also please tell us the IP address of the router inside interface.

The IP address on the router's inside interface is 192.168.254.1.

On the computer, the IP address is 192.168.254.2, mask 255.255.255.0, gateway 192.168.254.1.

Thank you for the information. It is surprising that the computer can ping the inside interface but not able to ping the outside interface. Would you post the output of these commands 

show ip protocol

show ip route

show ip protocol
*** IP Routing is NSF aware ***

Routing Protocol is "application"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 4)

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 174.137.xxx.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 174.137.xxx.1, GigabitEthernet0/0/0
174.137.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 174.137.xxx.0/24 is directly connected, GigabitEthernet0/0/0
L 174.137.xxx.xxx/32 is directly connected, GigabitEthernet0/0/0
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.254.0/24 is directly connected, GigabitEthernet0/0/1
L 192.168.254.1/32 is directly connected, GigabitEthernet0/0/1

Thank you for the outputs. This has been a long discussion and we still do not know what is the underlying issue. There are multiple aspects to consider, but from my perspective the key thing is that a computer connected to the inside interface is successful in ping to the inside interface but fails in ping to the outside interface. My initial assumption was that perhaps there was an issue with the computer configuration, especially not the correct gateway. But it appears that the computer configuration is correct. The outputs seem to indicate that on the router ip routing is enabled and the routing table clearly has the inside subnet and the outside subnet. Based on that the computer should be able to ping the outside interface. But it can not. So we are missing something. At this point I am not sure what that could be.