diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index e04634e94e5..7fe30c86142 100644
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -438,7 +438,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         elif ip_proto == constants.PROTO_NUM_ICMP:
             for attr, field in [('port_range_min', 'type'),
                                 ('port_range_max', 'code')]:
-                if rule[attr] is not None and rule[attr] > 255:
+                if rule[attr] is not None and not (0 <= rule[attr] <= 255):
                     raise ext_sg.SecurityGroupInvalidIcmpValue(
                         field=field, attr=attr, value=rule[attr])
             if (rule['port_range_min'] is None and
diff --git a/neutron/tests/api/test_security_groups_negative.py b/neutron/tests/api/test_security_groups_negative.py
index 347b18be17e..2e40d7a862c 100644
--- a/neutron/tests/api/test_security_groups_negative.py
+++ b/neutron/tests/api/test_security_groups_negative.py
@@ -148,6 +148,7 @@ class NegativeSecGroupTest(base.BaseSecGroupTest):
 
         # Create rule for icmp protocol with invalid ports
         states = [(1, 256, 'Invalid value for ICMP code'),
+                  (-1, 25, 'Invalid value'),
                   (None, 6, 'ICMP type (port-range-min) is missing'),
                   (300, 1, 'Invalid value for ICMP type')]
         for pmin, pmax, msg in states: