Cisco ASA - ICMP Inpsect and the Connection Table
Recently I've discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table.
What is ICMP Inspect?
"The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct
When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request." 
ciscoasa(config-cmap)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
When ICMP inspection enabled, for a single ICMP ping, a single connection is created within the connection table. The connection is torn down once the ICMP request and reply have been seen. In other words the request and reply traverse the ASA via the same connection.
Due to the speed that the ICMP connection is built and torn down, it is highly likely that you will be able to see the connection by running show connection
Mar 15 2012 11:22:38: %ASA-7-609001: Built local-host outside:10.1.1.100 Mar 15 2012 11:22:38: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.1.100/0 gaddr 22.214.171.124/48756 laddr 172.16.12.44/48756 Mar 15 2012 11:22:38: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.1.100/0 gaddr 126.96.36.199/48756 laddr 172.16.12.44/48756 Mar 15 2012 11:22:38: %ASA-7-609002: Teardown local-host outside:10.1.1.100 duration 0:00:00
When ICMP inspection is not enabled 2 separate connections are created for each ICMP transaction. One connection by the ICMP echo request and another by the ICMP echo reply. The connection will be torn down once the ICMP timeout has been reached. By default the ICMP connection timeout is 2 seconds.
ciscoasa# show conn ... ICMP outside 10.1.1.100:0 inside 172.16.12.44:46452, idle 0:00:00, bytes 168, flags ICMP outside 10.1.1.100:0 inside 172.16.12.44:46452, idle 0:00:00, bytes 224, flags