PIX 501 - allow icmp out but deny everything else out

My current config has NO access-lists or access-groups.
Client machines have no internet - expected.

If I add the following lines......
access-list INBOUND permit icmp any any
access-list INBOUND deny tcp any any
access-list INBOUND deny ip any any
access-group INBOUND in interface outside

..... then my client machines suddenly have icmp out (expected), but
they also have http/dns/smtp (ie ALL) out.

What access rules can I add, so that clients have icmp out, but nothing
else?

Thanks
Nick

 

tcp is a subset of ip, so the tcp line is redundant.
There is a default deny at the end of every access-list, so all
trailing deny statements are redundant.

It is relatively tricky to create a restricted VPN without using
at least two access-list . What are your static, nat, and global
commands, and what IP pool are you allocating to your clients?

 

The statement above would allow ICMP return from the inside but also you
have a DENY statement that would block anything from coming in, especially
in the order you have stated (remove "access-list INBOUND deny tcp any any"
as it is redundant). I would say that something significant in your
config, that you have not posted is causing Internet Access for the client
machine.

You would need to post your config up here so we can take a better look.