While doing troubleshooting the first requirement is to allow traffic from internal source to external and vice versa to verify the connectivity. List are the two ways by which you can enable ICMP traffic.
1. Allow ICMP through Inspection
2. Allow ICMP by access-list
In ASA by default, all traffic going from higher security “inside” to lower security “outside” or “DMZ” is allowed without any need of additional configuration but return traffic from “outside” or “DMZ” is only allowed if the traffic is initiated from the higher security “inside”. This is true for stateful TCP traffic but ICMP is still blocked from either side. Let’s use above mention two ways to allow traffic for ICMP.
Allow ICMP through Inspection
Allow ICMP traffic through inspection when ICMP initiated from inside.
The “inspect ICMP” will dynamically allow the corresponding echo-reply, time-exceeded, destination unreachable, and timestamp reply to pass through the outside interface. Here is how ICMP inspection is configured on an ASA. This configuration is recommended because dynamic ACLs are generated per session “as needed” basis, and will be removed after timeout value expires.
Policy-map global_policy
Class inspection_default
Inspect icmp
Allow ICMP by access-list
In this case, you can directly allow ICMP traffic from outside even if it is not generated from inside. This option is not recommended as it will allow any host from outside directly ping inside traffic.
access-list outside extended permit icmp any4 any4 echo-reply
access-list outside extended permit icmp any4 any4 time-exceeded
access-list outside extended permit icmp any4 any4 timestamp-reply
access-list outside extended permit icmp any4 any4 unreachable