the wan ip is: 198.18.100.9
as you can see it seems like the acl is working because when I try to ping from the router with this source no ping:
ROUTER#ping 172.24.133.124 source 198.18.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
Packet sent with a source address of 198.18.100.9
.....
Success rate is 0 percent (0/5)

the toplogy was wrong, I just updated the photo

Hello, 
So do you want to block the ping to servers from WAN IP or allow the ping?

Hi 
I want to block and it seems like it block, but when I open my firewall I still see the icmp

Hello, 
Yes got it, in firewall check the source IP of the ping, 
Is there any destination NAT configured on your router? As the public IP won't get translated to Private IP and get routed to the servers unless NAT is configured.

There is no NAT on the router, I have a static route to the servers.

in the firewall, I see the source IP that I blocked 198.18.100.9.

How can I add log to the access list? when I do show access-list I don't see matches on the block statement.

Can you add log to ACL you apply and see if it block traffic or not

MHM

Thanks

I will try to use CoPP 
maybe this will work.

Are they they pings with source IP 198.18.100.9?  YES
And are you able to see the hit count on your Block-Ping rule? no hit count but when I try to ping with the source I can't:
ROUTER#ping 172.24.133.124 source 198.18.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
Packet sent with a source address of 198.18.100.9
.....
Success rate is 0 percent (0/5)

Also just to confirm that the Block-Ping rule is named and referenced correctly? not "BLOCK-PING" all caps for example? YES

I run lab ACL not work for me I will try CoPP and share code here 

MHM

YES 
but I am not familiar with that , do I need to see a log in the CLI?