Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation


vpn interface nat block-icmp-error—Prevent a vEdge router that is acting as a NAT device from receiving inbound ICMP error messages (on vEdge routers only). By default, such a vEdge router blocks these error messages. Blocking error messages is useful in the face of a DDoS attack.

NAT uses ICMP to relay error messages across a NAT, so if you want to receive these messages, disable the blocking of ICMP error messages.

vManage Feature Template

For vEdge routers only:

Configuration ► Templates ► VPN Interface Cellular (for vEdge cellular wireless routers only)
Configuration ► Templates ► VPN Interface Ethernet
Configuration ► Templates ► VPN Interface NAT Pool
Configuration ► Templates ► VPN Interface PPP

Command Hierarchy

vpn vpn-id
  interface interface-name




Configure a vEdge router acting as a NAT so that it does not block inbound ICMP error messages, to allow the router to receive NAT ICMP relay error messages:

vEdge# config
vEdge(config)# vpn 1 interface ge0/4 nat
vEdge(config-nat)# no block-icmp-error
vEdge(config-nat)# show full-configuration
vpn 1
 interface ge0/4
    no block-icmp-error

Release Information

Command introduced in Viptela Software Release 14.2.​

Additional Information

See the Configuring Local Internet Exit article for your software release.

  • Was this article helpful?