Question : traceroute from behind a pix not working properly

i have 8 clients that have the same configuration and the same problem

we have a pix 515e with the OS 7.0.1
i can ping out of the network from the machines on PAT and NAT

but

if i do a traceroute either from PAT or NAT
i get the same problem:

only the last hop (the one that i am tracing) answers
ie:
Tracing route to www.yahoo.akadns.net [68.142.226.41]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11   124 ms   123 ms   125 ms  p10.www.re2.yahoo.com [68.142.226.41]


i even tried to add, on top of the implicit outbound rule, two rules to permit icmp in and out. but no luck
any ideas?
thanks a lot
TS

Answer : traceroute from behind a pix not working properly

ICMP Inspection Engine
Version 7.0(1) introduces an ICMP inspection engine. This engine enables secure usage of ICMP, by providing stateful tracking for ICMP connections, matching echo requests with replies. Additional controls are available for ICMP error messages, which are only permitted for established connections.

Use the inspect icmp and the inspect icmp error commands to configure the ICMP inspection engine.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Inspect ICMP command reference:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/gl.htm#wp1406865