I have a set of devices that should not be able to initiate any traffic, but may respond to traffic sent to them. Their role has one ACL - denyall. However, I've found that I can't ping these devices until I apply a session ACL with icmp allowed. Doing this allows the echo-reply and the device to initiate a ping to the network which I do not want. To try and fix this, I created an extended ACL that only allows echo-replies from these devices, but it appears as though I can't apply it to the user role.
What options do I have to keep these devices from initiating traffic to the inside and only allow responses?