I believe that Giuseppe has correctly identified the issue as the need for routes for your Public subnet on the ISP. A simple way to test this would be to do a ping to some Internet resource specifying the source address as G0/0/0 (which should work - if not you have a different problem) and then ping the same resource specifying the source address as the vlan address on the router. 

Hi Richard,

we know that the networking is setup correctly. The ISR is being installed to replace a non-cisco box that does not support TLS 1.2 or 1.3

The config from the existing box is being used as a guide, but of course there are differences between vendor OS.

vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!

Key aspects of the config so far are

interface GigabitEthernet0/0/0
description WAN GE 0/0/0
ip address xxx.xxx.253.10 255.255.255.240
negotiation auto
crypto map static-map

!

interface GigabitEthernet0/1/0
description VLAN68Port0
switchport mode access

!
interface Vlan1
description VLAN68
ip address xxx.xxx.68.254 255.255.255.0
!
interface Vlan2
no ip address
!

ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip route 0.0.0.0 0.0.0.0 xxx.xxx.253.13

thank you Giuseppe,

I'm really at the point now where I need to look at an example config. Any pointers welcome.

Hello @markagregory ,

make the following test suggested by Richard from the Cisco router shell:

ping xxx.xxx.253.13 source VLAN1

if this does not work you will know that the ISP router does not know about the public subnet in the"inside".

I see you have removed zone statements from interfaces . So the Zone Based FW should not come into play.

Edit:

in your WAN interface you have applied a crypto map depending on the ACL used to define interesting traffic = traffic to be encrypted you can face issues. I would suggest to try to remove it for some time and test again.

Be aware that in this type of  extended ACL used to define traffic to be encrypted  the keyword any should never be used as it can lead to undesired results

Hope to help

Giuseppe

You tell us "we know that the networking is setup correctly." Can you tell us whether you have conducted the test that I suggested?

@Giuseppe Larosa makes good points about crypto map and encrypted traffic. Perhaps a more complete output of the running config might shed some light. 

I am thinking about this from your original post "PC traffic sent to the Internet but no return traffic to the PC" How did you determine that PC traffic was sent to the Internet? 

@Richard Burts thank you for the reply.

To be clear, the upstream router is correctly configured.

It appears that this router is not correctly configured.

Let me pose a question. On the legacy router traffic that is incoming is moved from the WAN to LAN interface by the device. The only "route" set on the device is

ip route 0.0.0.0 0.0.0.0 xxx.xxx.253.13

It appears that the Cisco ISR operates differently and I'm not sure what command to enter to get traffic from the WAN to move to the VLAN.

I note @Giuseppe Larosa great comment about "crypto map static-map" and will test with this removed to see if it is a problem. I'm trying to get an anyconnect  VLAN working as well and thought I had removed all commands related to the VPN but missed this one.

I'll setup a test this weekend.

You ask "I'm not sure what command to enter to get traffic from the WAN to move to the VLAN." It is quite simple. If the WAN interface is in the up/up state and configured with an appropriate IP address and mask, and if the VLAN interface is in the up/up state and configured with an appropriate IP address and mask then the needed command is "ip routing" and I would expect that to be enabled by default. If it is not enabled for some reason then you should enable it.

My experience with AnyConnect is that it does not use a crypto map. A crypto map is typically used for site to site vpn or for Remote Access IPSec vpn. So I am a bit puzzled why the crypto map would be associated with AnyConnect.

Hello,

I am probably a bit late to the discussion, but you have posted the partial configs below. Can you post the full running configs of the existing router (the one with the ZBF I assume) and the new router ?

vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!

Key aspects of the config so far are

interface GigabitEthernet0/0/0
description WAN GE 0/0/0
ip address xxx.xxx.253.10 255.255.255.240
negotiation auto
crypto map static-map

!

interface GigabitEthernet0/1/0
description VLAN68Port0
switchport mode access

!
interface Vlan1
description VLAN68
ip address xxx.xxx.68.254 255.255.255.0
!
interface Vlan2
no ip address
!

ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip route 0.0.0.0 0.0.0.0 xxx.xxx.253.13

thank you @Georg Pauwen 

I've copied the existing router config - it is a HP MSR1003-8

and the ISR C1161X-8P config as it was the day I was trying to swap out the old router.

Before I try to do the swap again, it would be great to work out what went wrong and how to correct.

Hello @markagregory ,

the suggested test is very simple:

ping xxx.xxx.253.13 source VLAN1

from the ISR router and this wll tell you if ISP router knows or not about the public subnet inside.

Remove the crypto map and in any case also commands related to ZBFW like zone from each interface,.

Hope to help

Giuseppe

Thank you @Giuseppe Larosa 

Unfortunately, I cannot test as the router was replaced with the old router whilst I work out what went wrong.

I've attached the two configs above, and will try to setup a testbed this weekend.

Unfortunately, we have a covid lockdown in place and I can only get into the office periodically. I'll try to setup a testbed using the router and a couple of PCs, one acting as the upstream router (thankfully I'm old enough to remember how to do this).