here are the configurations:

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif IN
 security-level 80
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif OUT
 security-level 20
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network CL
 host 192.168.1.2
object network PL1
 host 10.1.1.10
object network S1
 host 10.1.1.2
object network S2
 host 10.1.1.3
object network PL2
 host 10.1.1.20
access-list ANY extended permit ip any any
access-list BB extended permit ip any any
access-list OUT extended permit ip any any
pager lines 24
mtu IN 1500
mtu OUT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map ANY
 match access-list ANY
!
!
policy-map ANY
 class ANY
!
service-policy ANY global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2004eb31534187f7c5ff8403b615714e
: end

with ASDM we cannot create a policy like this:

class-map ANY
 match access-list ANY
!
!
policy-map ANY
 class ANY

we have to inspect something. but with commands we can. and when we dont inspect anything, it allows tcp. why?

Have you left out some configuration?  amongst other things you are missing routing configuration.

--

Please remember to select a correct answer and rate helpful posts

it doesnt need any route. im testing it on a lab. you can do it by yourself. assume that we have a policy map like this:

class inspection_default

  match default-inspection-traffic

policy-map global_policy

  class inspection_default

service-policy global_policy global

this policy map allows http or dns traffic but not icmp traffic. why?

Just because you have removed all the inspection commands doesn't mean you have turned off the stateful inspection in the firewall.  The flow going from inside to outside will still go through all the checks and placed in the state table.  So as long as the flow remains the same (ie. destination porte from inside to outside, source port from outside to inside) the packet will be allowed.  But for protocols that use different source ports for replies (ie. ICMP) these packets will be dropped since the ASA can not match the return traffic to an existing flow without the packet being inspected.

--

Please remember to select a correct answer and rate helpful posts