From: Nate Kleven (cciemail@intellinet.ws)
Date: Thu Nov 14 2002 - 19:51:48 GMT-3
There is an implicit DENY statement at the end of all access-lists. With
that in mind, without any permit statements, all traffic was being dropped.
Try something like this:
Access-list 100 deny icmp any host 172.16.1.10 echo
Access-list 100 permit ip any any
Also, I noticed in your email that you mentioned this is on an Internet
router? The host 172.16.1.10 should not be reachable from the internet
anyway! Are you doing a static nat translation? If that is the case, your
deny statement should be for the public IP address, not the private.
HTH
__________
Nate Kleven
Senior Network Engineer, CCNP Voice Access, MCSE
Expanets
6020 So 190th ST
Kent, WA 98032
(206)219.6135
"Experienced at Networked Solutions"
-----Original Message-----
From: Jeongwoo Park [mailto:jpark@wams.com]
Sent: Thursday, November 14, 2002 2:03 PM
To: 'ccielab@groupstudy.com'
Subject: Took network down with wrong access-list
Hi all.
I like to share what I did this morning to take an internet connection down
for one of customers' companies.
Internet_router#
Interface s0
Ip access-group 100 in
.
.
.
access-list 100 deny icmp any host 172.16.1.10 echo
I was tring to set up access-list in a way that no one can ping one of their
servers in their network. This config took their internet connection down. I
immediately removed it, and it came back normal.
What did I wrong?
Thanks,
JP
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:00 GMT-3