the access list checks for the first match and then breaks out. In your access list, the first match is to permit any ip packet, so the second line, deny icmp, is never checked. If you change the order of the access list to:
access-list 101 deny icmp any any
access-list 101 permit ip any any
the icmp traffic should be blocked. It is just the way access lists work, if they find a match, they do not look further down in the access list.
I agree with what GP said. Reverse the order of the commands in your access-list and it will work fine.
The "ip" part of your "access-list 101 permit ip any any" command includes TCP, UDP, and ICMP protocols. That's how the ICMP traffic was getting through.
If your access-list had been written differently, such as
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny icmp any any
then it would have worked.
It's generally a good idea to put your "deny" commands close to the top of the access-list, to be sure they take precedence over "permits". Just be careful not to deny more than you want to.
Hope this helps.
Edited to add:
If you want to control the type of ICMP traffic that's allowed in and out of the Serial0 interface, you can create two access-lists, one for inbound and the other for outbound traffic.
For example, if you want to be able to ping from your Ethernet LAN through the router and out the serial interface and get replies back, but keep people on the outside from pinging into your Ethernet LAN from the serial side, you could do this:
access-list 102 deny icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit ip any any
access-list 103 permit icmp any any echo
access-list 103 deny icmp any any echo-reply
access-list 103 permit ip any any
ip access-group 102 in
ip access-group 103 out
Note that in access-list 102, the second line that permits the echo-reply is not really needed, since the last line in that access-list permits ip (TCP, UDP, and ICMP) and would also allow it. But sometimes it is useful to list a command anyway; for example, if you want to see whether that specific line is being matched. (You would see this with the "show ip access-list 102" command.)
And access-list 103 could be re-written to put the "deny icmp echo-reply" command first, if you wanted to.
No need to put anything on your Ethernet0 interface, unless you want to. If you wanted to be redundant, you could apply the same ACLs:
ip access-group 102 out
ip access-group 103 in
Note that the direction (in/out) changes, since the traffic being permitted or denied in my example is coming into the router from another direction. In this scenario, you would want to allow your PING echos to enter the router from the LAN side so that they could exit out the Serial0 interface; and you would want to allow the echo-replys to come back.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.