While doing troubleshooting the first requirement is to allow traffic from internal source to external and vice versa to verify the connectivity. List are the two ways by which you can enable ICMP traffic.

1. Allow ICMP through Inspection

2. Allow ICMP by access-list

In ASA by default, all traffic going from higher security “inside” to lower security “outside” or “DMZ” is allowed without any need of additional configuration but return traffic from “outside” or “DMZ” is only allowed if the traffic is initiated from the higher security “inside”. This is true for stateful TCP traffic but ICMP is still blocked from either side. Let’s use above mention two ways to allow traffic for ICMP.

Allow ICMP through Inspection

Allow ICMP traffic through inspection when ICMP initiated from inside.

The “inspect ICMP” will dynamically allow the corresponding echo-reply, time-exceeded, destination unreachable, and timestamp reply to pass through the outside interface. Here is how ICMP inspection is configured on an ASA. This configuration is recommended because dynamic ACLs are generated per session “as needed” basis, and will be removed after timeout value expires.

Policy-map global_policy

     Class inspection_default

      Inspect icmp

Allow ICMP by access-list

In this case, you can directly allow ICMP traffic from outside even if it is not generated from inside. This option is not recommended as it will allow any host from outside directly ping inside traffic.

access-list outside extended permit icmp any4 any4 echo-reply

access-list outside extended permit icmp any4 any4 time-exceeded

access-list outside extended permit icmp any4 any4 timestamp-reply

access-list outside extended permit icmp any4 any4 unreachable