I have PIX with three interfaces. The outside interface is connected to a cable modem, the dmz interface is connected to network 192.168.1.0 and the inside interface is connected to network 192.168.128.0. My security policy is simple, unrestricted outbound access from both dmz and inside. No access from outside to inside. Limited access from outside to dmz (only dns and http). It's all working pretty good except I am unable to successfully initiate traceroute from a host on either the inside or dmz networks to a host on the Internet. It seems I need to permit something inbound that I am not currently permitting. Do I need to modify an ACL in some fashion?