i am using pix 7.0. I have opened any any access for my users behind the fw, bt none is able to ping public addresses like www.yahoo.com or ip 18.104.22.168.
pls see attached show run
Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-
inspect icmp error
Now check if you are able to ping outbound.
please add the command :
access-list acl-internet extended permit icmp any any
this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.
as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.
there's are many icmp commands which you could permit individually.
for details,please check:
Hope this helps!!