Allow Pings (ICMP) & Traceroutes through Cisco ASA Firewalls

ASA Firewalls does not allow ICMP traffic to pass through it's interfaces by default. For real scenarios it is better that way in terms of security concerns. But for lab purposes and to verify implementations you will need it to be allowed from Firewall.

Why ICMP is blocked by ASA?

Short answer is because it is not in the list of state full inspection protocols. 

You can see the default inspection protocols list on the capture.

So you may need to configure access-control rules for both source and destination interfaces but it will bypass the firewall functionality. Firewall should remember the legitimate ICMP traffic and allow only the return traffic to pass through.

So you will need to add ICMP to the default inspection policy in global policy which is under the service policies.

Doing it in CLI is simple;

policy-map global_policy

 class inspection_default

  inspect icmp

  inspect icmp error

Make ASA Visible in Traceroutes

By default ASA is not visible in traceroutes as it does not decrement the TTL. To make it visible in a traceroute, we will need to add the following configuration to the default class in global policy.

policy-map global_policy

 class class-default

  set connection decrement-ttl