You are unable to make Internet connections through the PIX/ASA Firewall when the Network Address Translation (NAT) pool extends past the network designated on the upstream router for the PIX IP range.
The syn packets go through the PIX Firewall, however no return packets go to the PIX Firewall.
In order to troubleshoot this issue, complete these steps:
Take captures in order to determine how the packets traverse through the PIX Firewall.
Check the xlate entries in the PIX in order to ensure that the translation through the PIX is created.
Check the upstream router in order to make sure that you get the response packets back to the PIX Firewall.
Make sure that the upstream router is able to route the response packets back to the PIX Firewall.
Refer to the capture command for more information and in order to understand how to create captures and apply them to the PIX configuration.