Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3811
Views
5
Helpful
4
Replies

RV180 - How can I unblock WAN ICMP traffic from a specific address?

Media3Ltd
Level 1
Level 1

‎10-05-2013 11:54 AM

My ISP is unable to ping my router (see below).  Short of enableing "Respond to Ping on WAN", nothing seems to work.

"Dear Cogent Customer,


Cogent is unable to proactively test the status of your circuit because it appears that there is a universal ICMP block in place. Unfortunately, if Cogent is unable to monitor the IP specified it is impossible for us to honor the Guarantees and Service Credits provided in any Service Level Agreement, Customer Service Agreement or other type of performance level agreement that you currently have with Cogent Communications.  More importantly, it makes it impossible for Cogent Support to proactively troubleshoot problems because we have no visibility.


This can be resolved by blocking all ICMP traffic except from the Cogent monitoring IP blocks of 66.28.3.0/24, 66.250.250.0/24 and 130.117.254.0/24 (EU only).  The IP ranges for IPv6 monitoring are 2001:550:1:300::/56 for North America and 2001:550:1:300::/56 for the European Union.  Failing that, we will have to turn off the monitoring of your circuit because it will continue to give false alarms.  You would need to call Cogent Technical Support at 877-7COGENT, option 2, reference ticket number HD5537786 and request that network status monitoring be turned back on if that happens.  We would test the new configuration to ensure we can monitor the IP and then gladly return your circuit to monitored status."

Thank you,

Damon

Labels:
0 Helpful
4 Replies 4

aunrein
Level 1
Level 1

‎10-07-2013 02:19 PM

Hello Damon,

I believe that you can achieve your desired result by enabling "Respond to Ping on WAN" and creating an ACL rule that blocks all ICMP traffic from the Internet except for the traffic from a specified range of addresses. You can configure ACLs by navigating to Firewall > Access Rules in the GUI.

Let me know if this works.

Thanks,

Alex

0 Helpful

Media3Ltd
Level 1
Level 1
In response to aunrein

‎10-07-2013 05:33 PM

Hi Alexander,

Yes, this makes total sense and is exactly what I want to achieve, but just don't see any way to create an IP exception under the access rule options of a RV180.  Am I missing something or is it located under some other tab?

Thanks,

Damon

0 Helpful

aunrein
Level 1
Level 1
In response to Media3Ltd

‎10-16-2013 01:20 PM

Hello Damon,

Sorry for the late reply.

Here is what I think you need to do. First, go to Firewall > Access Rules in GUI. Click Add Rule. Configure the rule to allows ICMP traffic from the WAN to LAN for a specified source IP address or IP address range. The source IP needs to be your ISP's address that they will be using to ping you. Save that Access Rule. Then, create a second Access Rule that blocks all ICMP traffic from the WAN to LAN regardless of address. I believe this configuration should accomplish what you want.

Let me know if this works.

Thanks,

Alex

Dilyan Dimov
Level 1
Level 1

‎06-22-2018 10:09 AM

Firewall > Attack Prevention - Select "Respond to Ping on WAN (Internet)" and Save it!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents