Hi Ji Won,

I have default route to the GW  and Static route to the core like this:

interface GigabitEthernet0/0

description " Connection to GW"

nameif outside
 security-level 0
 ip address 10.60.20.1 255.255.255.0 
!
interface GigabitEthernet0/1

description " Connection to Core-1"
 nameif inside
 security-level 100
 ip address 10.60.10.2 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 100
 ip address 10.60.30.2 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 name-server 84.235.6.55
 name-server 84.235.57.230
 domain-name Saudi.net.sa
same-security-traffic permit intra-interface
object network NAT 
 subnet 0.0.0.0 0.0.0.0
access-list PERMIT_ALL extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu DMZ 1500  
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group PERMIT_ALL global
route outside 0.0.0.0 0.0.0.0 10.60.20.2 1
route inside 10.0.0.0 255.0.0.0 10.60.10.1 1

Any issue?

Thanks,

Mohammad

Does your GW has a route to the network behind the ASA?

Yes GW has static route routed to ASA. and default route to outside.

try this:

packet-tracer input inside icmp "core-ip" 8 0 "GW-ip"

show me the output.

g1

This command inside ASA ?

in core I have default route to ASA!

Yes, packet-tracer is a feature in ASA you can simulate packets and it will tell you where it drops the packet.

Try the command and show me the output

g1

ciscoasa(config)# packet-tracer input inside icmp 10.60.10.1 8 0 10.60.20.2

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.60.20.0      255.255.255.0   outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PERMIT_ALL global
access-list PERMIT_ALL extended permit ip any any 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: DEBUG-ICMP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.60.10.1/0 to 10.60.20.1/31551

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 373270, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(c

Add this line and let me know:

access-list out_in extended permit icmp any any

access-group out_in in interface outside

also, show me your default class policy-map

show run policy-map

g1

I added that access list and no success!

!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect http 
  inspect icmp 
!
ciscoasa# 

can you try to take out the icmp ispection and try? What's the software version of your ASA?

Wow! Thanks, it works! after removed it !!! strange.

My ASA version 8.3(1)

Many thanks

You should also confirm if Core has route to GW inside interface through ASA.

g1