Hasn't anyone out here worked with cut-through proxy

hasn't enyone out here worked with cut-through proxy with acs. is there no one out here to help me out with cut-through proxy.
sebastan

Hi Sebastan,
For your case, what's the scenario looks like?
Rgds,
AK

Similar Messages

  • Strange problem with cut-through proxy

    hi
    i have configured cut- through proxy on the router with acs.i am facing a strange problem .
    my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
    my routers' e2/0 interface is connected a server running a website .
    int e2/0
    no shutdown
    ip add 20.1.1.1/24
    exit
    the webserver is running on 20.1.1.2
    my router's config
    aaa new-model
    aaa authentication login default group tacacs+
    aaa authorization auth-proxy default group tacacs+
    aaa authorization exec default group tacacs+
    tacacs-server host 10.1.1.2
    tacacs-server key cisco
    ip http server
    ip http authentication aaa
    ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
    ip auth-proxy name auth http
    int e3/0
    no shutdown
    ip add 10.1.1.1/24
    ip access-group 101 in
    ip auth-proxy auth
    exit
    on the acs server in the tacacs+ ios
    i have selected auth-proxy in the services for users and groups
    i have created a user john with privilege level 15
    have selected auth-proxy and custom attributes
    proxyacl#1=permit tcp any any priv-lvl=15
    i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
    after putting the login credentials i get authentication failed
    i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
    AUTH-PROXY PROTOCOL NOT CONFIGURED.
    could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
    am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
    sebastan

    Check out the following link...
    http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

  • Has anyone done any work with the "Form" Email Feature in 2008?

    Has anyone done any work with the "Form" Email Feature in 2008?
    2006.7
    Oracle 9i
    Websphere 5.11
    IE6 & IE7
    I have been testing the version 2008.2 and noticed the "Form" link in the email templates, has anyone used this or know what its for? 
    It seems like a useful feature, but I can not find any documentation on its use.
    Thank you
    Daniel

    Hi Daniel,
    The HTML widget we have incorporated into the application is an open source tool. It's name is FCKeditor. Here is the URL for the documentation site: http://docs.fckeditor.net/
    - Ed

  • I have an Retina display MacBook Pro with HMDI out port. I also have an HDMI to Component cable with Audio Plugs. How can I get HDMI out to work with this cable when plugged into the Component and Audio ports on my TV?

    I have an Retina display MacBook Pro with HMDI out port. I also have an HDMI to Component cable with Audio Plugs. How can I get HDMI out to work with this cable when plugged into the MacBook Pro and connected to the TVs Component and Audio in ports.

    Will not work.  To my knowledge, dual converting like that isn't supported.  The Mac must detect the connected video output device and that sort of info cannot be done across an analog component uni-directional connection.

  • My mtsfiles don't work with cut express

    i am working with cut express and my files from the camera to an extern harddisc were converted into mts...now the program doesnt accept these kind of files so i converted them to mp4 but the audio doesn't work while trying the cutexpress program..so please someone to recomend me how to convert my mts files into mpge to be able to work with the finul cut program!
    a desperate beginner!

    Use ClipWrap to convert them to QuickTime using the Apple Intermediate Codec. MPEG is not a production format and is never used in FCE.

  • ASA cut through proxy with RADIUS challenge response?

    Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
    Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
    It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
    What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
    Date: 15/11/2010
    Time: 3:53:57 PM
    Type: Information
    Source: Server
    Category: RADIUS
    Code: I-006001
    Description: A RADIUS Access-Request has been received.
    AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
    Details:
    Source Location : 10.xx.21.24
    Client Location : 10.xx.21.230:1025
    Request ID : 31
    Password Protocol : PAP
    Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
    Action : Process
    What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
    Date: 17/11/2010
    Time: 2:29:31 PM
    Type: Warning
    Source: Server
    Category: RADIUS
    Code: W-006001
    Description: An invalid RADIUS packet has been received.
    AMID: 0xC19D988F83365F20151C3F6339DEC74B
    Details:
    Source Location : 10.xx.21.24:1812 (Authentication)
    Client Location : 10.xx.21.230:1025
    Reason : The sub-protocol of the received RADIUS packet cannot be determined
    Request ID : 33
    Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
    Request Type : Access-Request
    Thanks in advance
    IB

    Hi Ian,
    sorry for the late reaction - do you still need help with this?
    The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
    So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
    aaa-server () host
    no mschapv2-capable
    Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
    Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
    hth
    Herbert

  • ASA - cut through proxy authentication for RDP?

    I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
    OUTSIDE to INSIDE RDP is currently working.
    I have 2 servers I want RDP open for..
    [*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
    [*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
    What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
    Here is my current config.
    [code]
    ASA Version 8.2(5)
    hostname ASA5505
    names
    name 10.10.0.0 LANTraffic
    name 10.10.30.0 SALES
    name 10.10.40.0 FoodServices
    name 10.10.99.0 Management
    name 10.10.20.0 Office
    name 10.10.80.0 Printshop
    name 10.10.60.0 Regional
    name 10.10.70.0 Servers
    name 10.10.50.0 ShoreTel
    name 10.10.100.0 Surveillance
    name 10.10.90.0 Wireless
    interface Ethernet0/0
    description TO INTERNET
    switchport access vlan 11
    interface Ethernet0/1
    description TO INSIDE 3560X
    switchport access vlan 10
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    no nameif
    security-level 50
    no ip address
    interface Vlan10
    description Cisco 3560x
    nameif INSIDE
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Vlan11
    description Internet Interface
    nameif OUTSIDE
    security-level 0
    ip address 1.1.1.1 255.255.255.224
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup OUTSIDE
    dns server-group DefaultDNS
    name-server 8.8.8.8
    name-server 4.2.2.2
    domain-name test.local
    access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
    access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
    pager lines 24
    logging enable
    logging timestamp
    logging trap warnings
    logging device-id hostname
    logging host INSIDE 10.10.70.100
    mtu INSIDE 1500
    mtu OUTSIDE 1500
    ip verify reverse-path interface OUTSIDE
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (OUTSIDE) 1 interface
    nat (INSIDE) 1 LANTraffic 255.255.0.0
    static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
    static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
    access-group RDP-INBOUND in interface OUTSIDE
    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
    route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http Management 255.255.255.0 INSIDE
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh 10.10.70.100 255.255.255.255 INSIDE
    ssh Management 255.255.255.0 INSIDE
    ssh 0.0.0.0 0.0.0.0 OUTSIDE
    ssh timeout 5
    ssh version 2
    console timeout 0
    threat-detection basic-threat
    threat-detection scanning-threat shun
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username scott password CNjeKgq88PLZXETE encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
    : end
    [/code]

    You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
    There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

  • ASA Cut through proxy configuration

    Hi guys,
    I would like to configure limited internet access to olnly a select group of Windows AD users.
    I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
    thanks

    The link given will definitely work however you would not be able to select access based on the AD group, if that is what you need to achieve and you have ASA version 8.0 you can work Cut-Through-Proxy together with DAP.
    Using Cut-Trough-Proxy with a standard authentication server will only allow or reject depending on the authentication result, but any user within your AD schema will be able to get internet access. If you need to restrict this based o Windows Groups as well your best shot is Cut-Through-Proxy with DAP and LDAP:
    http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

  • Pix cut-through proxy

    a quick question since I do not have access to a pix I can not confirm it
    say, I want to do pix cut-through proxy and authenticate access via tacacs on per user basis.
    I want the user to access smtp user inside the pix will go through tacacs authentication.
    my question is "do I need a statement for http on the access-list ?"
    thank you.
    here is the config
    PIX-525# wr t
    PIX Version 6.3(1)
    access-list 100 permit tcp any host 155.1.1.4 eq http
    access-list 100 permit tcp any host 155.1.1.4 eq smtp
    access-list 150 permit tcp any host 155.1.1.4 eq http
    access-list 150 permit tcp any host 155.1.1.4 eq smtp
    access-group 100 in interface outside
    static (inside,outside) 155.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0
    aaa-server AUTHEN protocol tacacs
    aaa authentication match 150 outside AUTHEN

    Cut-through proxy is a feature unique to PIX Firewall that allows user-based authentication of inbound or outbound connections. A proxy server analyzes every packet at layer seven of the OSI model, which is a time- and processing-intensive function. By contrast, the PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly.
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

  • ASA - Cut-through proxy probleme

    I have to configure my ASA 7.2.2 for cut-through proxy but when the users use authentication prompt ,
    but only , for (http://1.1.0.2/netaccess/connstatus.html) the ASA send the following message:
    User Authentication
    User Authentication is not required.
    help me
    it is ok when one uses cut-through-proxy by ACL :
    access-list ACL_INT extended permit tcp object-group PC-UAUTH_DYN host MVINCT19 eq www
    access-list ACL_AUTH line 1 extended permit tcp host poste_auvinet host MVINCT19 eq www
    aaa-server auth_inside protocol radius
    aaa-server auth_inside host SVR-ACS-IN
    key xxx
    username admin password xxx privilege 15
    aaa authentication match ACL_AUTH inside auth_inside
    aaa authentication listener http inside port www
    on a pix 525 is OK

    Hi,
    The config looks good. Please remember that successful authentication is cached (show uauth) and till it expires user will not need to authenticate again.
    Please clear uauth and see if it helps.
    Regards,
    Vivek

  • Is there anyone out there happy with Media Encoder?

    After almost year of working with CS4 under both XP 32 bit and now Windows 7 64 bit, I am delighted with Photoshop and After Effects, tolerant of the defects in Premiere, and absolutely insanely angry about Adobe Media Encoder.  I have spent a great deal of time following other people's posts and recommended "fixes."  None have made the slightest difference in the ponderous performance and frequent crashing, especially when exporting AC3 files through Surcode.
    I have tested this setup with no greater happiness on clean installs with NOTHING else on the computer but CS4 with all updates.  These systems have all significantly exceeded Adobe's requirements for the software.
    I have used in that time three different motherboards.  I have worked with Premiere for years, literally since version 3.  A have loads of experience optimizing computers for video.  I also have lots of experience with other editing systems, having done in-depth reviews of NLEs for DV Magazine for a number of years.  This is not to say that I have not missed something, but the consistent complaints I see reveal a critical lack of attention to the broken bits of this system.
    I see lots of posts on this and other forums about the poor performance of AME.  I see very few where anyone is happy with the software.
    My current 2-hour project which loads into Premiere in under a minute can take 20 or 30 minutes to load in AME.  Even when exporting only audio, AME appears to launch PPheadless and render all video frames before getting to the audio, and I have repeated issues with the program locking up when exporting more than 20-25 minutes of audio.
    The decision to remove all direct exporting ability from Premiere and use the often broken Dynamic Link to AME was a gross mistake which in my opinion takes Premiere off the table for any professional shop.  I do not do work for hire, but I cannot imagine explaining to a client who is paying by the hour why we have to sit and wait for fifteen or twenty minutes for AME to load the project that was already loaded in PP to just export a brief section.  The architectural decision might be OK if all the bits that were involved were bulletproof and reliable, but the ImportProcessServer.exe and other dynamic link bits are clearly the source of problems for many people.
    So here's my question: is there ANY professional end user out there that is happy with the current incarnation of AME and the decision to remove direct export ability from PP?

    What format(s) do you work in?  What length of project?  Do you output to AC3?  I have no problems with AME for short projects or to output the same size/format -- for instance, I can usually output full HD for Blu-Ray but experience lots of crashes if scaling down to SD for DVD.  The crashes also occur above certain lengths, usually 20 min +.  With audio, I can output 5.1 uncompressed WAV in the same format (for instance, 16 bit) but if I try to output 24 bit (which AME is supposed to be able to do) I get "Encoding Failed - Unknown error."  In fact the error log is ALL that very helpful message, always when transcoding to another format/bit depth/size.  When outputting 5.1 to AC3, AME freezes up and fails at around 20 minutes.
    Our systems are very silimar -- the current system is i7 proc with 6gb ddr3 ram on a gygabite GA-EX58-UD3R.
    A have not had any huge issues really with AME for short videos or output to FLV for web.
    But the workflow I use is something that CS4 is SUPPOSED to be able to do.  And the very unusual issue is that I have seen posts about the same type of errors (with ImportProcessServer etc) on Macs as well.

  • Can't get the Toslink (Optical) out to work with Airport Express

    I have the monster cable hooked up but get no optical out. I hooked up the mini plug to RCA and that works but the optical doesn't. Is there a setting I'm missing. I know the cable is working because I hooked it up to my mini computer and get the red light coming out the end. I don't get any light from the airport expess mini plug to Toslink.

    Same problem here. Just bought an optical cable with the mini toslink connector (to work with the express and computers). I can get audio if I connect the cable to my computer, but no audio from the express. Regular analog audio comes out fine, but I cannot get the optical to work.
    I can't find any preference or setting to change and have tried resetting the base station. Anyone have an idea?
    iMac G5   Mac OS X (10.4.8)  

  • Does anyone have SSL working with the Sun Java System App Server PE?

    We have been having problems (to say the least) getting SSL to work with the Sun Java Application Server 8.1 Platform Edition.
    We have a signed certificate from VeriSign and have it imported correctly, but when you test it by going to https://localhost:8182/ (note that 8182 is the port set up for SSL) you get a warning mesage saying that the certificate cannot be verified. When you view the certificate you see that it is the one that got automatically generated for you by the app server and not the one we purchased from VeriSign.
    So, I was just wondering if anyone out there has gotten this to work and if so, what document did you follow to tell yoiu how it was done!
    THANK YOU!

    once apon a time i had a real problem with the same issue.. best of luck.. i forget now how to fix.. sorry.

  • Spdif out not working with latest drives on XFI

    /? I installed the newest drivers that were released recently. Driver version 6.0..347.
    Before I upgraded to these drivers my dolby digital was working fine.
    In powerdvd I have SPDIF/out selected. And the dolby digital light will not come on in the reciever. Anyone?
    else having this issue?
    SYSTEM SPECS: Antec P83 * Antec CP-850 * Intake two S-Flex SFF2E fans *
    Exhaust? two S-Flex SFF2E fan * Noctua NH-U2P SE366 cpu cooler * Asus P6T Deluxe *
    Bios version 605 * Core i7 920 @ 3.6ghz 20x 80bus * Mushkin 3x2GB 998679 @ 7-8-7-20 *
    Gigabyte 9800 GTX+ gig * PCIe SB X-Fi Titanium Fatality Pro * Pioneer SATA DVR-22DBK *
    Intel X25-M 60GB MLC SSD * Two Western Digital WD6400AAKS 640GB *
    ?Windows Vista 64 Ultimate SP2 not vlited
    Message Edited by galvin on 08-6-2009 05:08 [email protected]

    No one has this problem at all?
    I want to find out for sure if there is a fix before going back to the older drivers.
    If i do the test in the spdif out properties panel -> supported formats. When I do the dolby digital test I see the light come on in my receiver and hear sound just thru the front speakers. But when I use power DVD 9 ultra with the latest patch. I don't get the digital light on my receiver. I had this working with the previous drivers released earlier this year.
    Message Edited by galvin on 08-7-2009 0:54 [email protected]

  • Tomcat 5.5 issues, has anyone got JSF working with tomcat 5.5 yet?

    Hi,
    Firstly I'm wondering if anyone has got JSF 1.1 working with tomcat 5.5 yet.
    I'm trying to move from tomcat 5.0.25 to 5.5.4 and my JSF webapps have not liked the move at all.
    The classpath doesn't seem to be a problem as I have all the .jars that are required in the classpath of tomcat just like before.
    I see the error log in stdout.log (catalina.out on linux) have been reduced to only show the precise error. Or at least is seems at lot easier to read.
    My error is simply
    SEVERE: Error listenerStart
    SEVERE: Context startup failed due to previous errors
    I reverted back to using the examples provided like jsf-guessNumber and the car-demo but neither of these will start-up.
    This issue seems to have occurred to lots of other people previously but I couldn't find a particular fix or direct compatability issue with tomcat.
    Has anyone encountered this before?

    Back again,
    Allright well after a little thought I concluded that this issue had to be some to do with the classpath and the changes between the two tomcat versions.
    I had a look at
    http://jakarta.apache.org/tomcat/tomcat-5.5-doc/RELEASE-NOTES.txt
    and noticed that tomcat 5.5 leaves out some important .jar as they are only needed for java 1.4.
    -------------------- EXTRACT ------------------------
    Installing the compatibility package will add the following to the list, which are
    needed when running on J2SE 1.4:
    * jmx.jar (Java Management Extensions API 1.2 or later)
    * xercesImpl.jar (Xerces XML Parser, version 2.6.2 or later)
    --------------------END EXTRACT ------------------------
    Therefore I tried putting xercexImpl.jar back onto the tomcat classpath and JSF works once again.
    Ah what a relief.

Maybe you are looking for

  • Sales Report (Customer wise)

    Dear Friends, Can anyone please give me the  t-code to run a complete report on total sales for the year per customer Thanks

  • I have 3.4 years of ABAP experience. Planning to learn SAP BI and Move to BI. Kindly Suggest

    Hi Experts, I have been working for almost 3 and half years on SAP ABAP. Now i am planning to Learn SAP BI/BW and move my carrier to SAP BI/BW Completely. What would be the opportunities and carrier growth in the coming years for this combination. Pl

  • FTP Adapter get complete files question

    I'm using the FTP Adapter to poll for incoming files. I'm concerned that it may be possible for the FTP adapter to find a file whilst it's still being written, and therefore load an incomplete file. Does anyone know if the FTP adapter has any built i

  • Sent folder does not appear after installation. What to do to see the sent folder?

    After installation, the inbox and trash folders are there. The local folders are also there. But the sent folder is not there. How do i get the sent folder together with the sent emails.

  • WHTWHT

    I would like to propose an new acronym. WHTWHT is short for "We Help Those Who Help Themselves". I feel this modification of Ben franklin's adage that "God helps those who help themselves" describes not only my attitude to questions about elementary