Access Prohibited

some of the users have issue to access interactive dashboards. the error code is Q4NU7XSN; error is "class saw::security_impl::Group *" is invalid.
Does anybody see this kind of error before? Thanks a lot!!!

I have seen a similar issue for some users logging into Dashboards / Answers, on our UAT system, after migrating the Web catalog. We shutdown all services and re-migrated before trying again and everything was fine again.
I assume this was possbily due to a lock on some files at the time we originally migrated the web catalog.
You can test this by changing to a different web catalog in instanceconfig.xml and seeing if those users still have issues, if not, then it seems there is something wrong in the web catalog. If you don't have a backup you can revert to , you might want to recreate the users / groups in question.
Regards,
Imran

Similar Messages

Import Catalog Hit Error - Unable to Login. Access Prohibited.

Hello
I have been trying to learn OBIEE (version 10) on my local desktop and came across the following error
Access Prohibited
You are not currently authroized to use Oracle BI Interactive Dashboards.
If you would like to use this powerful capability, please contact the sites administrator.
I was able to import/check in a RPD and catalog folder from my development enviroment to my local desk top for testing purposes.
After implementing the catalog, I hit the above error.
I found the solution to fixing this error is posted here
http://newappsdba.blogspot.ca/2010/11/obiee-unable-to-login-access-prohibited.html
My question is - how do I avoid having to reset all the permissions again?
If I was to check out the catalog, and check it back in I dont want to always have to go through and reset all the permissions.
How do other people check in their catalogs?
Thanks in advance

It is with administrator privligies
I was reading around and it sounds like when just straight up cutting and pasting the entire catalog this can lead to permission issues
I read the following forum link which helped
Can not login to interactive dashboards
I had to give myself access again...
http://pcname:9704/analytics/saw.dll?PrivilegeAdmin&_scid=1cJYoJX6psU&Done=Admin
Can anyone confirm if this is true?
That I can not do a full copy and paste of the entire catalog from PROD to my local?

AnyConnect users cannot access internet

When AnyConnect users try to connect to the internet it will not let them out. I've included a copy of my config below. Also, I have a 5505 with base license but the AnyConnect for mobile is disabled. I got what seems to be a demo license from Cisco for 91 days. I thought that the base license came with AnyConnect for 2 devices. Why is the AnyConnect for mobile disabled by default?
ASA Version 8.4(2)
hostname ASA5505
domain-name <removed>
enable password <removed>
passwd <removed>
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
banner motd
banner motd +...................................................-+
banner motd |                                                    |
banner motd |   *** Unauthorized Use or Access Prohibited ***    |
banner motd |                                                    |
banner motd |        For Authorized Official Use Only            |
banner motd | You must have explicit permission to access or     |
banner motd | configure this device. All activities performed    |
banner motd | on this device will be logged, and violations of   |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities.    |
banner motd |                                                    |
banner motd |   There is no right to privacy on this device.     |
banner motd |                                                    |
banner motd +...................................................-+
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.105.28.12
name-server 68.105.29.12
domain-name ok.cox.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE-HOSTS
subnet 10.10.10.0 255.255.255.0
object network AnyConnect-INET
subnet 192.168.10.0 255.255.255.0
access-list Internet_IN extended permit icmp any interface outside echo-reply
access-list Internet_IN extended permit icmp any interface outside
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo-reply outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AnyConnect-INET interface
object network INSIDE-HOSTS
nat (inside,outside) dynamic interface
access-group Internet_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd update dns both
dhcpd address 10.10.10.25-10.10.10.50 inside
dhcpd dns 68.105.28.12 68.105.29.12 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy "Client Group" internal
group-policy "Client Group" attributes
wins-server none
dns-server value <removed>
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value <removed>
split-dns value <removed>
webvpn
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username <removed> password <removed> privilege 15
username <removed> attributes
webvpn
anyconnect ask none default anyconnect
username <removed> password <removed> privilege 15
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool vpnpool
default-group-policy "Client Group"
tunnel-group TunnelGroup1 webvpn-attributes
group-alias ssl_group_users enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:943c1846a54a525f95905e6ebe313048
: end

I found part of my problem. There wasn't nat (outside,outside) dynamic interface applyed to the AnyConnect object network. The other half of my question is still a mystery. How come the AnyConnect for Mobile is off by default on a base license when it's supposed to come with 2 AnyConnect mobile licenses installed?

You have attempted to access a secure page without the appropriate authorization. I have used this website every week and today received this error message. I can access it with Internet Explorer.

I received an error message after attempting to log in to a website. Access prohibited. You have attempted to access a secure page without the appropriate authorization.
I access this website at least twice a week and now I get this error message. I am able to access this website through Internet Explorer. Is there something I can do to fix this problem, so I can use Firefox?

Maybe:<br />
Dafizilla Table2Clipboard: https://addons.mozilla.org/firefox/addon/1852

Rule for Allowing Computer Access Microsoft

I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall. Below, I have included my current asa 5505 configuration. can you please tell me what needs to be added or so?
hostname ciscoasa
domain-name default.domain.invalid
names
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 170.18.18.132 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner motd
banner motd +......................-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network obj_any
object-group network microsoft-servers
network-object host 207.46.21.123
network-object host 4.26.252.126
network-object host 8.26.205.253
network-object host 8.27.149.126
network-object host 65.55.58.195
network-object host 94.245.126.107
network-object host 192.70.222.41
network-object host 192.70.222.59
network-object host 157.55.44.71
network-object host 118.108.3.84
network-object host 207.46.131.43
network-object host 207.46.19.190
network-object host 143.127.102.40
network-object host 72.14.204.101
network-object host 64.208.186.114
object-group network other_servers
network-object 118.108.62.236 255.255.255.255
access-list outside_access_in extended permit ip object-group psu-servers any
access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq www
access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq https
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit tcp any object-group epay_servers eq https
access-list inside_access_out extended permit ip any object-group psu-servers
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip audit name insidepolicy info action
ip audit name outsidepolicy info action
ip audit interface inside insidepolicy
ip audit interface outside outsidepolicy
ip audit info action
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 170.18.18.133 10.2.1.2 netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 170.18.18.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.2.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.2.1.2 255.255.255.255 inside
ssh 170.18.18.132 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address 10.2.1.2-10.2.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context

Hello Par13,
Yo do not need to allow anything as you are already allowing everything from inside to oustide:
access-group inside_access_out in interface inside
access-list inside_access_out extended permit ip any any
That line allows everything that is innitiated from the inside interface of the ASA, the returning traffic that matches a connection already established from that inside host will be allowed by default ( Stateful inspection aplied by the ASA)
Hope this helps.
Regards,
Do rate all the helpful posts
Julio

How to create a user in BI

Hi,
I am trying to add a user that I can use in BI other than the Administrator user.
I have added a user via the Security Manager of BI Admin and have assigned it the Adminstrators security group. However when I try to log into BI Answers using this new user I get the error
Access prohibited - you are not authorised to use Oracle BI Answers
Please contact the site administrator
Any ideas of what I have missed in the user setup

I believe you still need to grant the user the ability to login into Presentation services.
Via the Presentation services, login using the Administrator account and go to settings-->Administration-->manage privileges and you can grant that user the ability to whatever is available on that page by selecting the type of access requested from the right hand side.

Install PSUS4 on Windows 7 (64 bit)

Hi
Here is how it worked for me:
Forget the CD that comes with the product, you don't need it.
Hook up the PSUS4 to network cable, printer, and power it all up.
Now you need to connect to the PSUS4 in order to configure it, and we do that using Internet Explorer (or whatever browser you use).
In order to connect to it, you need to find out the network IP address of the PSUS4 (since you will type that address in the Internet browser address). How do we find out the IP address of the PSUS4?
The PSUS4 has been factory configured to do DHCP, meaning it will request an IP address (to a router) in your network.
How do you find out what address was given to it? You need to access your network router first.
In order to access your router, you need the IP address of your router. Look it up in the documentation that comes with your router. You dont have the docs at hand? Good guess: it could very well be: > 192.168.1.1 < Type whats between the brackets in the address line of your IE and there you go.
Now your router may have access prohibited with username and password. Thats not so easy, google the router, like: "netgear password router" and you will probably find the default password there. Replace Netgear with the router make that you have.
Once inside the router menu, locate "Attached devices" or similar, and find the addresses that the router has provided to devices on your network. You should find your own PC to start with, and other network devices that you may have, and of course, the PSUS4 should be listed. WIthout a network name by the way, you have to guess which one will be the PSUS4.
Now you close the browser session to the router, and you will access the PSUS4 by typing its IP address in the Internet Explorer browser address line.
Change the network settings of the PSUS4 (tab "protocol", select "tcpip") and highlight "Use the following IP address" Type the IP address that you already used to access the PSUS4. Why change it to fixed? We want a fixed IP address for the PSUS4, and not one that will be different after some time (the router may provide a new IP address after some time!!!). Subnet mask must be 255.255.255.0 and gateway must be the IP address of your router (that is the address you used to access the router with Internet Explorer when we started the quest, in my case 192.168.1.1).
Remove "NetBEUI" and "Apple Talk" if you do not use these protocols
DO NOT forget to hit "save" at the bottom of your screen...
Tab "printer": leave all to printer port USB1. Now EXIT the PSUS4.
Get back to Windows 7 and get into the Computer Configuration screen where you select configuring printers
Select "Add a new printer"
Choose "network printer", then dont wait but select "printer is not in the list"
Add printer using TCP/IP address
Type: select "TCP/IP"; next type the PSUS4 IP address and let the port-name be LP1
Make sure that the protocol is "LPR" and queue name is LP1, and activate "LPR bytecount"
Leave SNMP unactivated
That should do the job. Good luck, hope I have not made any typeo's or mistakes...
This worked for my PC and for the wireless netbook that my wife uses.

I have an old PSUS4 and a Samsung ML-2010R. Both work perfectly so my issues are mostly with getting them to work each time I step up to the next Microsoft OS. The post by wdboer helped me get my Windows 7 32-bit PC connected to my printer over the LAN and via the PSUS4 so many thanks to wdboer.
I upgraded to a 64-bit PC with Windows 8 and followed the same instructions and used the Universal Printer Driver downloaded from Samsung but all I got was the printer to 'wake up' but it printed nothing (a direct USB cable connection worked fine). I finally got the printer to work by;
1. Windows 8 Control Panel
2. Device and Printers
3. Right click on the newly installed printer
4. Click on the Device Options tab
5. Selecting the Printer Model drop down and selecting Samsung ML-2010 Series followed by Apply
When I went back to the General Tab and clicked on Print Test Page, the printer woke up and printed the test page
Cheers, R

How to hide a particular report in a Dasboard for some level of user

Hi Gurus,
This is our requirment.
We have Level Based Hierarchy starting from L1 to L8.We want to display one particular report or page only for the Level Greater than or equal to L5.
Any kind of help is appreciated.
Regards

Hi gerardnico,
Thanks for the Reply.
But we are also doing the same thing creating one Group
(select 'WEBGROUPS', 'ALLOW'
from dual
where 'VALUEOF(NQ_SESSION.Higher_Level)' = 'X')
which are having the access to the report but when we put the following in the init block there is access prohibited to all the users.
select 'WEBGROUPS', 'Secured User'
from dual
where 'VALUEOF(NQ_SESSION.Position_Name)' <> 'NO ACCESS'
UNION ALL
select 'WEBGROUPS', 'ALLOW'
from dual
where 'VALUEOF(NQ_SESSION.Higher_Level)' = 'X'
UNION ALL
select 'GROUP',
case when 'VALUEOF(NQ_SESSION.Position_Name)' = 'NO ACCESS' then 'NO ACCESS' ELSE 'Secured User' END
from dual
Regards

RDP over Easy VPN Server fails, ping works

Dear experts,
What can I do to troubleshout this problem?
This is our router configuration with the Easy VPN Server enabled:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
hostname ####
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret ###########################
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.1.59
ip dhcp excluded-address 192.168.1.99
ip dhcp excluded-address 192.168.1.182
ip dhcp excluded-address 192.168.1.192
ip dhcp excluded-address 192.168.1.193
ip dhcp excluded-address 192.168.1.198
ip dhcp excluded-address 192.168.1.238
ip dhcp excluded-address 192.168.1.240
ip dhcp excluded-address 192.168.1.243
ip dhcp excluded-address 192.168.1.245
ip dhcp excluded-address 192.168.1.215
ip dhcp excluded-address 192.168.1.122
ip dhcp excluded-address 192.168.1.33
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.201
no ip bootp server
ip dhcp-server ##########
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-############
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-############
revocation-check none
crypto pki certificate chain TP-self-signed-############
certificate self-signed 01
        quit
license udi pid CISCO1941/K9 sn ##########
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
username #### privilege 15 secret ####################.
username #### secret ####################
username #### secret ####################
username #### secret ####################
redundancy
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ###########
key ##########
dns 192.168.1.4 192.168.1.6
domain ####.local
pool SDM_POOL_1
acl 102
include-local-lan
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ##############
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ########### esp-aes 256 esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ###########
set isakmp-profile ciscocp-ike-profile-1
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 23 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 ###########
logging esm config
logging trap debugging
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 101 deny   ip any host 184.82.162.163
access-list 101 deny   ip any host 184.22.103.202
access-list 101 deny   ip any host 76.191.104.39
access-list 101 permit ip any any
access-list 102 permit tcp any any eq 3389
access-list 102 permit ip any any
access-list 102 permit icmp any any
access-list 700 permit 000d.6066.0d02   0000.0000.0000
no cdp run
snmp-server group ICT v3 priv
control-plane
banner exec ^C
Welcome ####^C
banner login ^C
Unauthorized access prohibited
##################################^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 23 in
password 7 ##################
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end

In the server debug, I see this:
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -2020890165 ...
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165
*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.
Is it something with the above line ?
/Jesper

PIX515 URL filtering doen't work

Dear collegues,
I have one outside interface with global IP address 1.1.1.1 and two inside.
Both inside interfaces restrict and non_restrict have private IP addresses.
I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.
I can access prohibited URL from restrict interface.
Could you tell me what's wrong in my URL filtering?
Here is my config:
PIX Version 7.2(2)
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif restrict
security-level 50
ip address 192.168.2.1 255.255.255.128
interface Ethernet2
nameif non_restrict
security-level 100
ip address 192.168.2.129 255.255.255.192
passwd 2KFQnbNIdI.2KYOU encrypted
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.twitter\.com"
regex domainlist3 "\.youtube\.com"
ftp mode passive
access-list inside_mpc extended permit tcp any any eq www
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (restrict) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map httptraffic
match access-list inside_mpc
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection log
class BlockDomainsClass
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy global_policy global
service-policy inside-policy interface restrict
end

Hi,
can you try inspecting http.
Regards.
Alain

Customize no-permissions error msg

If I set the Everyone group to essentially have no access to answers/dashboards/delivers and someone tries to sign in, I get an error message with the following:
Access Prohibited
You are not currently authorized to use Oracle BI Delivers
If you would like to use the powerful capability, please contact this site's administrator.
HOW CAN I EDIT THIS MESSAGE?

You can edit the deliverssysmessages.xml which can be found in the \OracleBI\web\msgdb\l_en\messages folder.
In there you can find this WebMessage:
<WebMessage name="kmsgDeliversNotCurrentlyAuthorized"><HTML>You are not currently authorized to use <sawm:messageRef name="kmsgProductDelivers"/>.
If you would like to use this powerful capability, please contact this site's administrator.
</HTML></WebMessage>
Regards,
Stijn

Error when login to OBIEE presentation services

User is getting the following error: "Access Prohibited. Not currently authorized to use Oracle BI Interactive Dashboards" and her team is able to login without any issues. The entire group is in one group and have access. All her team members are able to login successfully except one user.. what could be the problem here..Please help.

Hi
try to add her individually to the dashboard from the admin login
Regards
Debo

Help, When I upload my website all image links are missing!

Hello, new dreamweaver cs5 user here. When I preview on firefox everything looks great! After uploading all image files are missing. www.cityrevealed.com

There are still plenty of images attempting to be loaded from a folder level above the Root:
<img src="../images/header2.jpg" width="960" height="226" border="0"
are you sure there is an "images" folder in the root?
http://www.cityrevealed.com/images/
Typically attempting to look at the index file of a folder level will return "Access Prohibited" or actually reveal the file and sub folder structure with that folder level... but trying to directly access the "images" folder returns page not found. While I realize there may not be any index page there... I would normally be getting "Access Prohibited".
You may have made changes but are you sure they have ALL been uploaded to the server?
Are you uploading via DreamWeaver or an FTP program?
How are you verifying that the server folder structure is exactly the same as your local machine?
Adninjastrator

AAA using RADIUS

GOod morning all,
I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
Dwane

For routers and IOS switches:
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
radius-server host 10.10.10.10 (your acs device)
radius-server key cisco123
radius-server configure-nas
username nmg password telnet
aaa authentication ppp dialins group radius local
aaa authentication login nmg local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
login authentication
For CatOS switches:
Set radius-server 10.10.10.10
show radius
set radius key cisco123
set authentication login radius enable
set authentication enable radius enable
show authentication
set radius timeout 5
set radius retransmit 3
set radius deadtime 3
For Pix Firewalls:
aaa authentication ssh console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa-server radgroup protocol RADIUS
max-failed-attempts 2
reactivation-mode depletion deadtime 5
exit
(NOTE: This will depending on the location of the pix firewall)
aaa-server radgroup (inside) host 10.10.10.10
key XXXXXXX
exit
aaa-server radgroup(inside) host 10.10.10.10
key XXXXXX
exit
This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
Hope this helps some. I had alot of help from Cisco TAC on this.
Dwane

Receive empty sender mail

Hi, i`m new in OCS.
I`ve received a mail response from other domain when trying to send a mail
this is part of the message:
Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.5.0
Last-Attempt-Date: Tue, 23 Oct 2007 16:25:29 -0500
Diagnostic-Code: SMTP; 550-Callback setup failed while verifying <[email protected]>
550-(result of an earlier callout reused).
550-The initial connection, or a HELO or MAIL FROM:<> command was
550-rejected. Refusing MAIL FROM:<> does not help fight spam, disregards
550-RFC requirements, and stops you from receiving standard bounce
550-messages. This host does not accept mail from domains whose servers
550-refuse bounces.
550 Sender verify failed
Remote-MTA: dns; remotedomain.com
From what I understand I need to receive mail from <> , empty or null sender but have been unable to find in the SMTP Inbound Server where to activate this option.
I thought the option was "Remitentes rechazados" (spanish) but it didn`t work
When talking to the server directly this is the result:
telnet mail.domain.com 25
Trying XXX.XXX.XXX.XXX..
Connected to mail.domain.com (XXX.XXX.XXX.XXX).
Escape character is '^]'.
220 server ready. Unauthorized Access Prohibited.
HELO domain.com
250 mail.domain.com Hello 192.168.XXX.XXX, pleased to meet you
mail from:
550 5.7.1 Mail command failed: Mail denied due to site's policy
mail from: <>
550 5.7.1 Mail command failed: Mail denied due to site's policy
So, i need to change this policy.
Thanks in advance
Giovanni

Hi Andreas, I`ve checked my domain and is working from outside.
The problem is that I need to tell my server to receive mail from <> (emtpy or null user) as required by RFCs
Regards
Giovanni

Access Prohibited

Similar Messages

Maybe you are looking for