Deny ICMP accross a frame-relay network

[estarr5]

I have a WAN consisting of 10 offices. All remote offices connect to main office over frame-relay in a star topology. The main office router is a 3640. The 10 remote offices each have 1720's. The IOS on all routers is 12.2. I need to block ICMP traffic accross the WAN. I want to make sure that not only can ICMP flow from inside the LAN at any remote office to main office but also from remote office to remote office. Lets say the IP scheme is as follows:

Site 1: 192.168.2.0
Ethernet int on router: 192.168.2.1

Site2: 192.168.3.0
Ethernet int on router: 192.168.3.1

Site3: 192.168.4.0
Ethernet int on router: 192.168.4.1

Site4: 192.168.5.0
Ethernet int on router: 192.168.5.1

and so on.

Main office: 192.168.20.0
Ethernet int on router: 192.168.20.1

No ip addresses configured on Serial interfaces.

So, what is the best to setup my access-lists to accomplish my task? I'm having trouble with this. What I did try already is apply:

access-list 110 deny icmp any any

on all the ethernet interfaces at each remote site and main office using 'ip access-group 110 in'. This didn't seem to work.

Any kind souls out there have any suggestions? I know this is ridiculously elementry. But I need to implement this quickly and I other priorities have got me all tied. Thanks in advance for any help offered.

 

[pmesjar]

Your ACL statement was fine, but only half-way. Remember that access-lists have default "deny ip any any" statement added, but not shown.
To prevent users from originating ICMP I would create following on router interfaces closest to them, that is all Ethernet ports (all routers, all ports):

access-list 110 deny icmp any any
access-list 110 permit ip any any

int ethernet 0
ip access-group 110 in

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.