In the outside-in access-list (acl_out), make sure that the following entries are present: access-list acl_out permit icmp any any time-exceeded access-list acl_out permit icmp any any unreachable access-list acl_out permit icmp any any echo access-list acl_out permit icmp any any echo-reply
I've seen the question asked hundreds of times, and since I finally found how to do it without allowing ALL icmp, I thought I'd share.
Hope it helps!
-J Keegan j keegan at ctny dot net