Does anyone have enough familiarity with the Cisco ASA 5500 series firewalls to tell me how to configure it so that I can traceroute (and ping, for that matter) from inside the firewall to the Internet? My current outgoing policy is to allow all traffic from inside to out. I have the feeling that part of the problem may be that the replies to the pings and traceroute packets aren't being mapped back to the inside IP address properly (or at all), but, as much as I hate Cisco firewalls, I find it hard to believe that it cannot do what a $25 home firewall can do.

I think you'd want something like this...

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside

Ah. I needed an incoming rule. Gotcha. I figured that since it had to map the incoming packet back to the original NATted host that it would be implicit. After all, I don't have to havin incoming rules for other reply packets. Then again, TCP does open a VC, and I don't know if I'd have to do the same thing for UDP replies.

Regardless, it worked. Thanks muchly.