The PIX does not dynamically allow the return packets from pings/traceroutes. For inside users to be able to ping external hosts, you need to permit Internet Control Message Protocol (ICMP) echo reply packets back through the PIX. The PIX does not dynamically open up access for the ICMP reply packets.
The solution is to apply an access-list to the outside interface permitting echo reply packets back in.
For example:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages