From: Jay Hennigan (jay@west.net)
Date: Thu Nov 14 2002 - 20:10:38 GMT-3
On Thu, 14 Nov 2002, Jeongwoo Park wrote:
> Hi all.
> I like to share what I did this morning to take an internet connection down
> for one of customers' companies.
>
> Internet_router#
>
> Interface s0
> Ip access-group 100 in
> .
> .
> .
> access-list 100 deny icmp any host 172.16.1.10 echo
> I was tring to set up access-list in a way that no one can ping one of their
> servers in their network.
> This config took their internet connection down.
> I immediately removed it, and it came back normal.
>
> What did I wrong?
There is an implicit "deny any any" at the end of all IP access lists.
As you had no permit statements, the list permitted nothing.
If you ever do this type of thing remotely, it's a good idea to first
enter a "reload in 15" command so that if you lock yourself out, the
router will reboot itself (back to the saved configuration) in 15 minutes.
Also, create the access list first, then apply the corresponding access
group to the appropriate interface.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:00 GMT-3