Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

remote vpn question


we have a cisco asa 5520. We have remote users that vpn into this device and once connected use microsoft office communicator for IM.

The issue is with sharing desktops. When users are inside the network they can share. When a user is inside the net. they can share with a user that is VPN'd in.

The issue is when two users are remotely connected via VPN they can IM but unable to share their desktop.

I would just like to know if this is possible (two remote vpn connections to share a desktop) and if so, would it be an acl issue that would probably be preventing?

Thanks any suggestions would be appreciated

New Member

Re: remote vpn question


Quick answer is yes it is possible, but it may ultimately depend on your OCS configuration.

Like most microsoft apps out the box it uses random ports (1024-65535) for a large portion of it communications, which hopefully your server guys are locking down to smaller more managable range.

First thing I would try on your ASA though is to enable hairpinning so the vpn users can communcate with each other.

This is done using:

same-security-traffic permit intra-interface

Basically allowing traffic to enter and exit the same interface, which is denied by default.

If this still doesnt work you may have to liaise with your OCS team to assist.

If you sharing between just 2 users the traffic primarily should be peer to peer.

You may want to try sharing to multiple users in a conference for instane, which forces the traffic for all users through the edge servers instead of peer to peer, this should work.

Unless your firewalling the vpn traffic i wouldnt expect you have to enable rules on the ASA.



New Member

Re: remote vpn question

Great. thank you.

So by enabling this feature - "same-security-traffic permit intra-interface" how does it affect any of the existing traffic or the existing vpn traffic?


New Member

Re: remote vpn question


Did it fix your issue?

On the ASA traffic is prohibited from entering and exiting the same interface by default.

This command permits this behavior.

For you i expect that both vpn's are terminating on the same interface (maybe the outside for example) so as the connection comes in from one vpn it needs to exit the same interface to reach the other vpn. This by default would be denied.

This is a global command so will effect all interfaces. Shouldnt cause any issues with existing traffic etc.


New Member

Re: remote vpn question


I haven’t tried it yet as I was a little cautious as to what it may affect/break if anything.

I will have to run this by a few teams before any changes are made to this device.

But you do say that by enabling "same-security-traffic permit intra-interface" it does not affect any existing vpns or communications correct?

Thanks for all you information.

CreatePlease login to create content