Hi RJI,

I thank you for your prompt response. I see now the command you provided helped to list icmp as one  of the default inspected  protocol. but I could not still get a ping response from a device connected to the outside interface. I can get a response from the outside device when ping  from the ASA itself but if clients connected to inside interface the ping will time out. 

 

1. The outside router is directly connected to the ASA with outside interface with the same ip address space

2. My inside interface is configured with different subnet with  dhcp enabled with gateway of the inside interface address

3. The route is configured to point to forward unknown network (0/0) traffic to  the outside router.  

 

So do you think this is ICMP issue with firewall or another problem ?

What network are you sourcing traffic from, the inside network? Are you natting the traffic on the outside interface?
If you are not natting, does the other device have a route back to that network?

Run packet-tracer and upload the output.

E.g. - packet-tracer input inside icmp <src ip> 8 0 <dst ip>

RJI,
Yes,I am sourcing the traffic from inside network. attempting to reach network connected on the outside interface of the Firewall . this outside network segment is assigned with private IP address. I am not using NAT at this point . However this device is a gateway for my internet.
It can be considered that the firewall is between two local area networks.
I will share the results of the packet tracer .

please see the results of the packet tracer. Can we say something from this ? I donot say any drop
XXXX# packet-tracer input inside icmp 192.168.7.68 8 0 192.168.0.253
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.253 using egress ifc outside:conisp1
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 78, packet dispatched to next module
Result:
output-interface: conisp1
output-status: up
output-line-status: up
Action: allow

Running a packet capture on Router would show if it receives packet or not. 

Thank you for your response. is there a way to verify the configuration other than pinging devices?

Check 1: On ASA, make sure you have ACL on Outside interface permitting ICMP from router towards inside.  

Check 2: reverse route to inside network on router, if NAT is not configured on the ASA. 

 or Configure NAT/PAT for inside network on ASA. 

Check 3: After above Check 1 & 2. run ping and do packet capture on outside interface of ASA and inside interface of router. 

 

if above doesn't resolve, can you past ASA and router config and packet capture of Outside interface ASA and Inside interface of Router?

 

Mk,

I thank you for your suggestion.

1 . there is no any ACL applied . the idea is to use the icmp inspection rule with out an acl.
2. NAT is not used and configured.

let me try a couple of suggested settings and will share results.