Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

SA520W: ICMP to WAN port?

We just installed an SA520W to use as a FW/Router with our new Metro Ethernet Internet connection.  Our provider "demands" that we allow ICMP-ECHO (type8), ICMP-ECHO-REPLY (type0) and ICMP-TRACEROUTE (type30) to facilitate their monitoring of our service.

They have given me Source IP ranges for the hosts that would be pinging us.

I'm a newbie to firewalls and configs.  Is there anyway to allow the service provider to 'ping' our router from the pre-determined range of source IPs?  When I try to set up a rule for this, the rule wants an internal IP address under destination NAT settings...I have no idea what that would be.

Do I uncheck the "Block Ping to WAN Interface"?  That would allow anyone/anything to ping me, right? Is that safe to do?

Thanks for your advice.

Everyone's tags (3)
Cisco Employee

Re: SA520W: ICMP to WAN port?

Hi Chris,

Yes you can have your provider Ping your SA520W, however, you will need to redirect the ICMP-ECHO (type8), ICMP-ECHO-REPLY (type0) and ICMP-TRACEROUTE (type30) to a physical device either on your LAN or DMZ.  You do not want to open the ability for anybody to be able to ping your WAN interface.

What you need to is first create the internal Service definition for  ICMP type 30 and type 0 as these are not predefined.  Log into the router, select Firewall tab, then select Services, and choose Add.  Enter the values accordingly.  See attached picture.

After adding your services, you need to create a IPv4 firewall rule for each ICMP type to allow each service to be redirected to an internal device on either the LAN or DMZ.  Select Firewall tab, then select IPv4 Rules, Select Add...  Enter the parameters to match your environment.

See attached bitmap showing firewall rule to allow remote IP address range to to be able to ping a device on DMZ.

Hope this helps,

Best regards,

CreatePlease to create content