I still can't run traceroute through my ASA, even though it's configured as shown:

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

!

service-policy global_policy global

I've issued the "clear x" command and even tried adding the following commands:

icmp permit any Outside

icmp permit any Inside

When I try "tracert yahoo.com", this is what the ASDM log shows (note that I've reversed the order to show earliest message first):

Oct 02 2007 19:26:36 302020:Built ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)

Oct 02 2007 19:26:36 106014:Deny inbound icmp src Outside:(gateway address) dstInside:(outside IP address)(type 11,code 0)

Oct 02 2007 19:26:38 302021:Teardown ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)

I can place a computer on the same public IP subnet that the outside interface of the ASA resides on and get traceroutes to work without issue, I know the problem lies with the ASA.

Interestingly enough, I tried using the ACL method:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

instead of the global policy method, and that worked fine.

Go figure...