Hi MHM,

Thank you for your reply. I tried to implement your suggestion but couldn't get it to work. I thought I had the source/destination the right way round, but i may have it wrong. I don't use access lists very often. 

It is strange because when i use the command:

access-list WEB-INSIDE extended permit icmp host 192.168.2.1 any

ICMP packets don't get dropped and ping works fine. Do you have any other suggests?  

can I see full config ?

Yes, I have attached the packet tracer files, but i'll paste the configuration here too.

Here's a photo of the config:

ASA Firewall config:

interface GigabitEthernet1/1

nameif INSIDE

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet1/2

nameif DMZ

security-level 50

ip address 192.168.2.254 255.255.255.0

!

interface GigabitEthernet1/3

nameif OUTSIDE

security-level 0

no ip address

shutdown

!

object network DMZ-WEB

host 192.168.2.1

nat (DMZ,OUTSIDE) static 1.1.1.1

object network INSIDE

subnet 192.168.1.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic interface

!

!

access-list WEB-INSIDE extended permit icmp host 192.168.2.1 any

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

!

!

access-group WEB-INSIDE in interface DMZ

!

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

!

service-policy global_policy global

no need any access list,
since initiate traffic from the high security IN =100 to DMZ low =50. 

for ICMP you need 

policy-map global_policy

class inspection_default
inspect icmp <<- this what you need 

Will that work for port 80 and 443 if i want https, or just for icmp? 

I will run lab for you and check your config.
update you today.

Thank so much. 

as I mention before since the traffic from High to low security level (from 100 to 50) no need any ACL 
then what is issue ??

ISSUE is PKT limit you need to first 
1- no policy-map global_policy
2-no service-policy global_policy global
3-
policy-map global_policy

class inspection_default

inspect http <<- add this 

inspect icmp <<- add this 

4-service-policy global_policy global

and as you see I can access HTTP in DMZ without any issue 
see I change the hello message to be welcome to MHM 

Thank you for trying. Still cannot get it working on my computer. I have tried multiple times - starting with a new 5506 firewall. It works perfectly on the 5505 with the same config, but not on the 5506 firewall. I am on a arm computer, so might be something to do with that. 

only repeat same step I mention above and it will work.

Finally, got it to work thank you. There seems to be a bug with packet tracer saving the global policy-map. It does not always register it on my computer, and then when i restart packet tracer it restores it to default. Even when using 'Write memory' and 'copy running-config startup-config'.

You are so so welcome friend any time.