Cisco ASA Series Cli Configuration Manual page 1376

Testing Your Configuration
Step 4
(Optional, for low security interfaces)
access-list ICMPACL extended permit icmp
any any
Step 5
access-group ICMPACL in interface outside
Disabling the Test Configuration
After you complete your testing, disable the test configuration that allows ICMP to and through the ASA
and that prints debugging messages. If you leave this configuration in place, it can pose a serious security
risk. Debugging messages also slow ASA performance.
To disable the test configuration, perform the following steps:
Command
Step 1
no debug icmp trace
Step 2
no logging on
Step 3
no access-list ICMPACL
Step 4
policy-map global_policy
class inspection_default
no inspect icmp
Cisco ASA Series CLI Configuration Guide
1-6
Adds an access list to allow ICMP traffic from any source host.
Assigns the access list to the outside interface. Replace "outside"
with your interface name if it is different. Repeat the command
for each interface that you want to allow ICMP traffic from high
to low.
Note
After you apply this ACL to an interface that is not the
lowest security interface, only ICMP traffic is allowed;
the implicit permit from high to low is removed. For
example, to allow a DMZ interface (level 50) to ping the
inside interface (level 100), you need to apply this ACL.
However, now traffic from DMZ to outside (level 0) is
limited to ICMP traffic only, as opposed to all traffic that
the implicit permit allowed before. After testing ping, be
sure to remove this ACL from your interfaces, especially
interfaces to which you want to restore the implicit permit
(no access-list ICMPACL).
Purpose
Disables ICMP debugging messages.
Disables logging.
Removes the ICMPACL access list, and deletes the related access-group
commands.
(Optional) Disables the ICMP inspection engine.
Chapter 1 Troubleshooting Connections and Resources