TACACS+ requests through NAT device

Hi everyone.
I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:
I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)
2 Questions in this situation appeares:
- Does TACACS+ protocol support request through NAT devices?
- Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)
As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .
I know VPN's are options as well, but it is not prefered in my design.
Best Regards
Jarle Steffensen

As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.
I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).
If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.
HTH
Rick

Similar Messages

  • AAA Accounting through a NAT device

    Good Day to you all,
    I am trying to configure aaa accounting through a natted device to a ACS 4.0 server. the information is logged ok but is logged as the device that is performing the natting. is there a way to configure aaa accounting to show the acctual device being updated in the ACS logs

    Assuming its RADIUS...
    Is it possible to get the originating device to include the NAS-IP-Address or NAS-Identifier attributes in the accounting records?
    This will be the actual device values rather than the peer address of the NAT device.

  • How to forward DHCP requests through 1140N AP

    We have an 1140N AP connected to a switch and our "network partner" controls the router and will hand out DHCP and do the NAT for this WLAN.  How can I configure the AP to forward DCHP requests through.
    I have WPA2 PSK (TKIP) setup and the client is able to authenticate however we fail to get an address.  In this case the Ethernet interface was left alone so it has the default config and it gets a DHCP address fine.  How can I configure this AP to enable the rest of the WiFI clients to get an IP?

    Here is my cleaned config.  I put helpers everywhere and still can't an IP. 
    I don't have control over the switch or router that this will plug into nor the setup.  The switchport it will plug into has a VLAN designated for Guest Wireless access.  I suspect that I need to redo the config without VLAN10 involved correct?
    Current configuration : 4880 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname [removed]
    enable secret [removed]
    no aaa new-model
    dot11 syslog
    dot11 ssid {removed]
       vlan 10
       authentication open
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii 7 [removed]
    crypto pki trustpoint TP-self-signed-1278736388
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1278736388
    revocation-check none
    rsakeypair TP-self-signed-1278736388
    crypto pki certificate chain TP-self-signed-1278736388
    certificate self-signed 01
      3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31323738 37333633 3838301E 170D3032 30333035 32323138
      33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373837
      33363338 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BDA9 327F8A3C CFB3C216 F23AA107 CEEE007D CFC2A89C 9064A4F2 66A07EB7
      EB7F3602 74B505D1 9A374875 1DC71A58 607632F3 2A41250B 6BB79B68 D5C1E00D
      B7AA55EB 4E36668B 9BF92E94 C2B0699D A009902A D7A802D1 DCF699F2 99F20B0B
      D5BAB32F 3F8749B2 6C641CF2 6BC7FE8C 3078876C DAC97CFD 69BA42E5 98F81B37
      70830203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
      551D1104 19301782 1561702E 736F732D 61642E73 74617465 2E6E762E 7573301F
      0603551D 23041830 1680141A 78042A2D A7149DAC E90E1EAF 6496AB47 DF674630
      1D060355 1D0E0416 04141A78 042A2DA7 149DACE9 0E1EAF64 96AB47DF 6746300D
      06092A86 4886F70D 01010405 00038181 00B38305 C973DD31 F23C1B17 78181DF9
      A5A8A409 FDBAEF54 DF94DB89 815954EA 45322B5B BDB32C6A F0353228 ADD4A398
      CC249C49 A4C9C66D 08712AC7 7C5D12D5 C412933C 9E2893C3 4A432577 2FCA9A67
      2F89FF79 8FA0DECD 88CBB2C1 A5DA778A 80839D51 1883EEE7 A8754EC9 283E25E0
      7D91F064 AC633286 81232031 0BEF403E C1
      quit
    username [removed] privilege 15 password [removed]
    bridge irb
    interface Dot11Radio0
    no ip address
    ip helper-address 10.135.14.1
    no ip route-cache
    encryption vlan 10 mode ciphers tkip
    ssid [removed]
    antenna gain 0
    speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
    station-role root
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio0.10
    encapsulation dot1Q 10
    ip helper-address 10.135.14.1
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface Dot11Radio1
    no ip address
    ip helper-address 10.135.14.1
    no ip route-cache
    encryption vlan 10 mode ciphers tkip
    ssid [removed]
    antenna gain 0
    dfs band 3 block
    speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1.10
    encapsulation dot1Q 10
    ip helper-address 10.135.14.1
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0.10
    encapsulation dot1Q 10
    no ip route-cache
    bridge-group 10
    no bridge-group 10 source-learning
    bridge-group 10 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    ip helper-address 10.135.14.1
    no ip route-cache
    ip http server
    ip http authentication local
    no ip http secure-server
    ip http help-path
    http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    bridge 1 route ip
    banner motd ^C
    Access to this device is restricted to authorized users. Unauthorized access is a violation of state and federal, civil and criminal laws (e.g., NRS 205.4765). Evidence of unauthorized access will be provided to law enforcement personnel.
    ^C
    line con 0
    password [removed]
    login local
    line vty 0 4
    password [removed]
    login local
    end
    Current configuration : 4880 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname [removed]
    enable secret [removed]
    no aaa new-model
    dot11 syslog
    dot11 ssid {removed]
       vlan 10
       authentication open
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii 7 [removed]
    crypto pki trustpoint TP-self-signed-1278736388
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1278736388
    revocation-check none
    rsakeypair TP-self-signed-1278736388
    crypto pki certificate chain TP-self-signed-1278736388
    certificate self-signed 01
      3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31323738 37333633 3838301E 170D3032 30333035 32323138
      33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373837
      33363338 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BDA9 327F8A3C CFB3C216 F23AA107 CEEE007D CFC2A89C 9064A4F2 66A07EB7
      EB7F3602 74B505D1 9A374875 1DC71A58 607632F3 2A41250B 6BB79B68 D5C1E00D
      B7AA55EB 4E36668B 9BF92E94 C2B0699D A009902A D7A802D1 DCF699F2 99F20B0B
      D5BAB32F 3F8749B2 6C641CF2 6BC7FE8C 3078876C DAC97CFD 69BA42E5 98F81B37
      70830203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
      551D1104 19301782 1561702E 736F732D 61642E73 74617465 2E6E762E 7573301F
      0603551D 23041830 1680141A 78042A2D A7149DAC E90E1EAF 6496AB47 DF674630
      1D060355 1D0E0416 04141A78 042A2DA7 149DACE9 0E1EAF64 96AB47DF 6746300D
      06092A86 4886F70D 01010405 00038181 00B38305 C973DD31 F23C1B17 78181DF9
      A5A8A409 FDBAEF54 DF94DB89 815954EA 45322B5B BDB32C6A F0353228 ADD4A398
      CC249C49 A4C9C66D 08712AC7 7C5D12D5 C412933C 9E2893C3 4A432577 2FCA9A67
      2F89FF79 8FA0DECD 88CBB2C1 A5DA778A 80839D51 1883EEE7 A8754EC9 283E25E0
      7D91F064 AC633286 81232031 0BEF403E C1
      quit
    username [removed] privilege 15 password [removed]
    bridge irb
    interface Dot11Radio0
    no ip address
    ip helper-address 10.135.14.1
    no ip route-cache
    encryption vlan 10 mode ciphers tkip
    ssid [removed]
    antenna gain 0
    speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
    station-role root
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio0.10
    encapsulation dot1Q 10
    ip helper-address 10.135.14.1
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface Dot11Radio1
    no ip address
    ip helper-address 10.135.14.1
    no ip route-cache
    encryption vlan 10 mode ciphers tkip
    ssid [removed]
    antenna gain 0
    dfs band 3 block
    speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1.10
    encapsulation dot1Q 10
    ip helper-address 10.135.14.1
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0.10
    encapsulation dot1Q 10
    no ip route-cache
    bridge-group 10
    no bridge-group 10 source-learning
    bridge-group 10 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    ip helper-address 10.135.14.1
    no ip route-cache
    ip http server
    ip http authentication local
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    bridge 1 route ip
    banner motd ^C
    Access to this device is restricted to authorized users. Unauthorized access is a violation of state and federal, civil and criminal laws (e.g., NRS 205.4765). Evidence of unauthorized access will be provided to law enforcement personnel.
    ^C
    line con 0
    password [removed]
    login local
    line vty 0 4
    password [removed]
    login local
    end

  • Can't connect to Server through NAT

    Hey all.
    So, I'm trying to connect to my 10.8 server from outside of my network using Server.app.
    On my local subnet, I can connect fine with my normal user.
    From anywhere outside of my local network, all I get is a shake from the login dialog (which is pretty meaningless).
    Since I'm using NAT, I've forwarded 311/TCP and 311/UDP through to the server host.
    When I telnet to my server on 311 I get a connection, so the traffic is getting through NAT (at least the TCP traffic).
    The only indication of a problem I get is a terse log entry on the machine I've attempting to connect from:
       Server: Failed to authenticate to OD
    I'm using the same credentials I use through Server.app when on the local subnet, so something else is happening.
    I do get a certificate warning, which I check off so that I always trust it. I can use the same hostname on my internal and external zones, but the IP resolves back to
    Does OD require some additional configuration for requests from outside the local net?
    Is Server.app just flawed?
    Does this somehow have to do with DNS?
    Any ideas?

    Server app communites over TCP port 687, not 311.
    That being said I wouldn't port forward server administration traffic to your server. A better approach would be to make a VPN connection first and then do whatever task you're trying to do after that.
    Source: http://support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US

  • My internal speaker on mac book pro works through external devices (e.g headphones) and a red light appears on my audio line port what should i do?

    i used macbook pro  2009 OS X 10.9.5 yosemite and  i got troubled on my internal speaker  and it only works through external devices what should i do pls help?

    This is the Mac Pro desktop forum. I requested your post be moved to the MacBook Pro laptop forum.
    Please move the MacBook Pro forum. Thanks
    Also if you mean by external is via the headphone jack then try cleaning out/blowing out the headphone jack. Try inserting/removing the plug a dozen times or so. There is a little switch in the headphone jack that disconnects the speaker when the headphone jack is inserted.

  • DHCP requests through ASA

    Hi ,
    I have ASA5585 in routed mode (Check the attached diagram) , and my DHCP client on the inside , while the DHCP server is on the outside.
    I know that ASA can be configured as a DHCP relay , but there is a condition
    “DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router”
    Is this means that the setup in the attached diagram cannot work ?
    Is there any other way to make it work , without changing the ASA to transparent mode?

    Hi,
    I think the text above refers to a situation where you are actually using the ASA to Relay DHCP messages.
    You couldnt therefore use the ASA to relay DHCP messages that were relayed by another device behind the ASA. Though I dont know why the DHCP messages would need to be relayed twice.
    But as we can see in this case the L3 Switch is the device that handles the relay of DHCP messages to the actual DHCP server and the ASA doesnt have to do anything related to DHCP other than pass the unicast UDP traffic. Therefore you wouldnt be confiuring any DHCP related settings on the ASA and the above quote/limitation wouldnt apply to your setup
    So it seems to me that you can leave out all the DHCP/DHCP relay configurations from the ASA and just allow the traffic originating from the L3 Switch
    I might be able to lab this for you at some point at my home network if needed (Though naturally with different ASA model). Though I think we have several environments at work already that use an ASA5585-X (multiple context mode) where the customer Router uses "ip helper-address" to relay DHCP messages to a DHCP server located on a DMZ inteface of the ASA context.
    - Jouni

  • Error While Making a Request Through API

    Hi everyone,
    I'm trying to submit a request through the API for the "Assign Roles" template, I used http://java.net/projects/openptk/sources/svn/content/branches/Oracle/OIM11g/examples/java/OIMClient/src/oim/client/request/RequestRoleCreate.java?rev=1489 as a basis for my code. Pretty much line for line.
    This is my code.
    public static RequestStatusSummary[] applicationAccessRequest(String email, String templateName, String roleName) {
    String userKey = getUserKey(email);
    Beneficiary beneficiary = null;
    RequestBeneficiaryEntity entity = null;
    List<RequestBeneficiaryEntity> entityList = null;
    List<RequestBeneficiaryEntity> entityAttrList = null;
    // add role requested
    entityList = new ArrayList<RequestBeneficiaryEntity>();
    entity = new RequestBeneficiaryEntity();
    entity.setEntityKey(getRoleKey(roleName));
    entity.setEntityType(RequestConstants.ROLE);
    entity.setEntitySubType(roleName);
    entityList.add(entity);
    // set beneficiary to user
    beneficiary = new Beneficiary();
    beneficiary.setBeneficiaryType("user");
    beneficiary.setBeneficiaryKey(userKey);
    beneficiary.setTargetEntities(entityList);
    // add benficiaries to the request data
    List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
    beneficiaries.add(beneficiary);
    requestData.setBeneficiaries(beneficiaries);
    System.out.println(requestData);
    // submit request
    String reqId = requestSvc.submitRequest(requestData);
    RequestStatusSummary[] requestStatusSummary = requestSvc.getRequestStatusSummary(reqId);
    return requestStatusSummary;
    getRoleKey() and getUserKey obtain the correct values. Directly before calling this method I log in to OIM using OIMClient this works correctly as well. The issue is that submitRequest() throws this. Any suggestions would be greatly appreciated. Thank you for your time.
    javax.ejb.EJBException: ; nested exception is:
         java.io.EOFException; nested exception is: java.io.EOFException
         at weblogic.rjvm.t3.MuxableSocketT3.endOfStream(MuxableSocketT3.java:345)
         at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:826)
         at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:760)
         at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:941)
         at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:888)
         at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:339)
         at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
         at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
         at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
         at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
    javax.ejb.EJBException: ; nested exception is:
         java.io.EOFException; nested exception is: java.io.EOFException
         at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.unwrapRemoteException(RemoteBusinessIntfProxy.java:121)
         at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:96)
         at $Proxy6.submitRequestx(Unknown Source)
         at oracle.iam.request.api.RequestServiceDelegate.submitRequest(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
         at weblogic.security.Security.runAs(Security.java:41)
         at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
         at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
         at $Proxy7.submitRequest(Unknown Source)
         at testoimlogin.TestOIMLogin.applicationAccessRequest(TestOIMLogin.java:350)
         at testoimlogin.TestOIMLogin.main(TestOIMLogin.java:537)
    Caused by: java.io.EOFException
         at weblogic.rjvm.t3.MuxableSocketT3.endOfStream(MuxableSocketT3.java:345)
         at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:826)
         at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:760)
         at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:941)
         at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:888)
         at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:339)
         at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
         at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
         at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
         at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)

    How are you creating OIMClient ?
    Make sure that you are using proper OIM URL: t3://ManagerServer:MANAGEDSERVERPORT
    getting error while calling RequestService interface

  • Cisco ASA 5505 IPSEC, one endpoint behind NAT device

    We have two Cisco ASA 5505 devices.
    Both are identical, however, one of them is behind a NAT device.
    We are attempting to create an IPSEC network.
    Site fg:
    <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
    ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
    Site be:
    <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
    ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
    USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
    USG1: UDP port 500/4500 forwarded to 192.168.4.50
    It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
    We verified / attempted the following:
    - NAT excemption on both sides for IPSEC subnets
    - Mirror image crypto maps
    - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
    - Toggled between static to dynamic crypto maps on ASA1
    Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
    Does anyone have any idea?
    195.txt contains show running-config of ASA3
    212.txt contains show running-config of ASA1
    log.txt contains somewhat entire log snipper of ASA1

    Hi,
    on 212 is see
    tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 195.xxx.xxx.xxx ipsec-attributes
    pre-shared-key
    When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
    If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
    Regards,
    Abaji.

  • I have a iPhone and iPad on one iTunes account, I have recently bought two further I touches fir the kids , should I set them up with their own apple ids and the can I transfer purchases through all devices

    I have a iPhone and iPad on one iTunes account, I have recently bought two further I touches fir the kids , should I set them up with their own apple ids and the can I transfer purchases through all devices,

    Hi jhyiesla,
    Im not sure wether I got you right or not. But my advice/s would be as follows:
    These steps help you get rid of old apps you downloaded years ago and you do not use anymore.(Also frees space on your mac after emptying the trash)
    1) go to iTunes and delete all applications in it. Make sure to move them to trash! Do not empty your trash yet. Its your backup if step 3 doesnt appear.
    2) connect both your devices(one after each other) and make a backup. !!!Dont press the Sync button, press the Back Up Now Button
    3) Then it asks you if you want to backup applications as well. Confirm. (This is how apps get transferred manually)
    4) Then Sync your devices... The first time it might be, that there are some additional apps loaded to your devices you dont want to.. delete them on your Device (not iTunes) and after that you should be good every time you sync again.
    5) now you can empty your trash on your mac.
    Further,
    - You should regularly connect your devices with iTunes to make sure they are backed up. (Even if you have activated iCloud backup, the iTunes backup is more proper i.e.. Apps)
    - If you hate scrolling through a list of apps in iTunes, you can re/install apps directly on iOS not via iTunes. I absolutely never go to the "Applications" section in iTunes. I install and delete apps directly on iOS.
    jl

  • How to add Objects to transport request through FM/BAPI?

    Hi All,
    I am creating a workbench request through program. I am able to create it by using BAPI  but i am unable to add objects to it through program.
    Can anybody tell me the funcion module/bapi to add object to transport request?
    i have the list of objects that are suppose to be added.
    No BDC please.
    Thanks ,
    Swarup

    Hi Swarup,
    Check FM TRINT_MODIFY_COMM. Also look at program TH_TKANL for the usage of FM.
    Thanks
    Lakshman

  • Submitting concurrent request through oa framework page

    want to submit a concurrent request through oa framework page and i wrote this code in controller
    try
    OAApplicationModule am = pageContext.getApplicationModule(webBean) ;
    OADBTransaction transaction = am.getOADBTransaction();
    Connection conn = transaction.getJdbcConnection();
    ConcurrentRequest cr = new ConcurrentRequest(conn);
    cr.setDeferred();
    Vector param = new Vector();
    param.add("21092008");
    int reqId = cr.submitRequest("XXC", "XXC_DATE_VALIDATION_TEST_1", "XXC DATE VALIDATION TEST 1", null, false, param);
    transaction.commit();
    System.out.println("Request ID >>> "+reqId);
    String id = "" + reqId + "";
    HashMap parameters = new HashMap();
    String url = "OA.jsp?akRegionCode=FNDCPREQUESTVIEWREGION&akRegionApplicationId=0";
    //parameters.put("akRegionApplicationId", "0");
    // parameters.put("akRegionCode", "FNDCPREQUESTVIEWPAGE");
    //parameters.put("akRegionCode", "FNDCPPROGRAMPAGE");
    parameters.put("requestMode", "DEFERRED");
    parameters.put("requestId", id);
    pageContext.setForwardURL(url,
    null,
    OAWebBeanConstants.KEEP_MENU_CONTEXT,
    null,
    parameters,
    true,
    OAWebBeanConstants.ADD_BREAD_CRUMB_NO,
    OAWebBeanConstants.IGNORE_MESSAGES);
    catch (SetDeferredException e)
    throw new OAException("Munish SetDeferredException " + e.getMessage(),OAException.ERROR);
    catch (RequestSubmissionException e)
    throw new OAException("Munish RequestSubmissionException " + e.getMessage(),OAException.ERROR);
    catch (Exception e)
    throw new OAException("Munish Exception " + e.getMessage(),OAException.ERROR);
    but i dont know whether it is submitted or not
    when i find my request using request id through e bussiness suite i can see ant thing regarding this id
    and i m getting this error
    java.lang.NullPointerException
    at oracle.apps.fnd.cp.viewreq.webui.ViewRequestsPageCO.processRequest(ViewRequestsPageCO.java:213)
    could anyone help me please
    Thanks

    Check the "Adding Request Monitoring to Your Product" section from dev guide.
    --Shiv                                                                                                                                                                               

  • My Iphone 4s says connected to TV and will not let me watch any videos on Safari, and only plays sound through the device. I have not messed with the settings, and have not connected it to anything bluetooth either. It's update is IOS 6.1.3

    I have an Iphone 4S and It won't let me watch videos on my safari, which I do everyday. It says that I am connectef to a tv, yet I have not connected it to a tv during the entire time i've owned this product. I have not connected it to anything bluetooth either. It plays the sound through the device, but it will not play the video at all. the update is IOS 6.1.3

    Try disabling the computer's antivirus and firewall.
    - Next try the manual install method of:
    iDevice Troubleshooting 101 :: iPhone, iPad, iPod touch
    Place the iPod in recovery mode after the firmware download is complete and then restore using the instructions in the article. Sometimes recovery mode timeouts and returns to disabled before the firmware download is complete.
    - Then try on another computer

  • Error occured when giving down payment request through  Tcode F-47

    Dear All,
                      Following error occured when giving down payment request through Tcode F-47 by
    inserting purchase contract in Purch. Doc. field :
    Purch. doc. 4600000442 neither a purch. order nor a schedul. agmt.
    Message no. ME703
    please suggests
    Regards
    Shailesh

    Hi
    As error message states, you should put PO number instead of Purchase Contract number in downpayment request.
    You can create a PO for that Purchase contract if you want purchase contract should also be used in that process.
    Brgds
    Abdulla

  • How to send POST HTTP Request through PI .

    Hi ,
    I am trying to send a XML mesage at HTTP server from SAP PI 7.1 .
    but not able to , reason is HTTP guy telling me is that ,i am sending a get request through SAP PI 7.1 and it should be POST.
    Where to change this this thing , so that only post request should go.
    There is one more thing , i am facing following request only in Quality . In Development request is going as Post and every thing running fine ...
    Regards
    PS

    It was always HTTP from our end , some config was missing at HTTP guys end , which solve the problem ..
    So there was no issue at PI end.

  • Multiple HTTP requests through same connection

    Hi...
    I am writing an application which connect to its server through HTTP protocol and the server is basicaly a bunch of servlets hosted somewhere (Right not it in the tomcat running in my PC)
    I know that with Connection Keep-Alive header you can keep the connection alive and do multiple requests from the same server.
    Can some one point me to where can I find some sample code which shows how to send multiple requests through same URL conection or URL object. What i cant figure out is how to reset the URL connection or its streams a and make them send anotehr request message to the serverso server can respond.
    Or do I have to do this manualy (using sockets)

    You SHOULD be able to do a HttpUrlConnection method. However, I have hand-coded HTTP server and client apps and the keep-alive is rarely enabled in servers.
    This is due to better handling of millions of unique hosts requesting, unlike a network os, which is made the other way around.

Maybe you are looking for