I found a situation yesterday on an FWSM running
3.1.3 whereby I could modify an outbound access list in the base case to be something like this:
access-list test permit icmp host 192.168.0.1 any
access-list test deny ip any any
... and it would keep denying the icmp packets until I either rebooted or clear-config'd the access list. Running with auto-commit enabled, icmp inspection off, I was able to add and remove similar rules (eg., allow TCP) and have them take effect instantaneously.
This using the latest asdm.
So it seems like there is something going on with addition of icmp rules that does not happen with other kinds of rules in this situation.
-c