Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN - one side behind firewall

Hi forum!

I have two ASA5505 and want to setup a site-to-site vpn.

I used the ipsec wizard and the vpn works so far.

The problem is the remote side where the asa is behind a firewall of my isp. The incoming ports are completly closed.

Now if the idle time pass by and on the remote side there is no traffic the tunnel disrupts.

I found a workaround by setting the idle-timout to none. But if the tunnel disrupt by other reasons, e.g. ISP disconnects I can't rebuild it from the server side.

Is there any command to send a keepalive signal or something?


Re: Site-to-Site VPN - one side behind firewall

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

New Member

Re: Site-to-Site VPN - one side behind firewall

Hi! Thanks for the quick reply.

But the keepalive is standard - or isn't it?

Where should I set the keepalive - core or remote? or both?

I think the problem is that the core ASA can't connect to the ASA behind the firewall.