Q: How do I filter PINGs or ICMP using an access-list?

A:

To filter PINGs, you can create an extended access list, and then apply it to an interface. I usually apply these lists to each interface in the inbound direction. To filter only PINGs, use the following:

deny icmp any any echo
deny icmp any any echo-reply
permit ip any any

Most people like to filter out all ICMP traffic. However, there are three ICMP messages that should not be filtered: destination unreachable, source quench, and time exceed. The extended IP access list to filter everything but these looks like this:

permit icmp any any source-quench
permit icmp any any host-unreachable
permit icmp any any time-exceeded
deny icmp any any
permit ip any any

Q: How do I use debug to see "ICMP can't fragment" errors generated by or passing through a router?

A:

The command #debug ip icmp will result in the following debug messages, if there are such errors:

ICMP: dst (10.10.10.10) frag. needed and DF set 
unreachable sent to 10.1.1.1

These "unreachable" messages must be allowed. If you are filtering ICMP, don't just use deny icmp any any. Make sure your interface access lists allow unreachable messages, as follows:

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 deny icmp any any