Fundamental issue here - must be me - I have a laptop plugged into the inside interface of my pix firewall (Pix 501). I have set up an ACL to deny icmp echo and icmp echo-reply FROM the laptop address TO the ip address of the inside interface. I have applied the ACL to the inside interface via an access-group command ("in"). And I can still ping the inside interface of the firewall from the laptop still. Debug icmp trace shows no hits. What am I doing wrong? Surely you can deny icmp in this way ?