As Rob mentioned the ACLs you applied on the ASA interfaces are for the transit traffic only, not for the traffic destined to the ASA itself. ICMP can be denied with the command icmp deny. By default the ASA will allow any ICMP traffic to itself, whether initiated by a remote host, or returned to an ICMP traffic initiated by itself. However, as soon as you put in an icmp permit rule, that will trigger an implicit deny for any other ICMP traffic.
For example, if you leave the ASA with its default ICMP settings, it will allow all ICMP traffic destined, initiated by, and returned to itself. If you add a rule to permit only one public IP to reach the ASA via ICMP protocol, the ASA will allow the ICMP traffic only from that specific IP, and will also deny any other ICMP traffic automatically without having you to add any deny rule.
Now this would include the return traffic such as the echo replies, so in that case when you try to ping from the ASA itself, you would not get the replies back. To fix this, you need to add another rule to allow the echo-replies, that can be done with icmp permit any echo-reply outside. You can replace the any keyword with the specific IP addresses if you want.
Another thing worth mentioning is that the order is important when it comes to icmp permit/deny rules. If you place an icmp deny rule above a permit rule, the permit rule will never be hit. Of course that depends on what you specified in the rules as the IP address or host name. It works in a similar way of the normal ACLs check, top to bottom.
