As ZBW/CBAC has been removed from v5 (and I dont intend to be taking the lab until July) I went with an ACL for this:
ip access-list ex FILTER
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any port-unreachable
deny icmp any any
permit ip any any
inf f0/0
ip access-group FILTER in
I would ask the proctor if I had to keep the ICMP access open for 228.28.28.28 - if I did, I'd add it to the ACL.
FWIW, I spent about 1hr attempting to get a reflexive ACL to work, along with a local-policy on R1, but gave up. It just got far too messy, and I dont even know whether I would have been able to get to the bottom of it in several hours, let alone 1.