access-list 101 deny icmp nay any echo.

On both outside and inside interfaces, apply the following:
ip access-list 101 in

That will stop echo requests outside from entering the local lan and stop local lan from pinging out. You can make a seperate access list for each interface and define a range if there are only certain terminals you want blocked. You may want to allow your station to ping to test line status. Traceroute uses pings and is a simple way to confirm whether the ISP is having issues.

The second response gives you most of what you need.

Remember to spell any correctly. With the implicit deny any any at the end of the access list, if you want to allow all other traffic you need to add something like this “access-list 101 permit any any” after denying the echo.
While you are building this access list you may want to include other things that should be denied.

Another thing to think about if you are using this router as your primary firewall, we have just defined an allow by default access list. Secure firewalls almost always use deny by default rules. This way you know what you are allowing.

I know this goes well beyond the question but I have seen too many inadequately protected networks.
rt

Also what router are you using? New IOS feature sets have a basic FW built in and you can lock it down fairly easily with the available web gui. Not the best in the world for FW but it does a good treat and works wonders better than an ACL – if you are not that familiar with ACL’s.

If you are using a 1700, 2600, 3600, 1800, 2800, 3800 series router you can get this IOS (with sufficient memory and flash) and use the features. It also has a quick simple VPN and more advanced VPN wizard in the gui as well. Lots of nice new features that can be a large help to persons not fully versed in IOS CLI commands.

Hope this helps

Cisco_cat_6k – CCDP