Check this out.   https://community.cisco.com/t5/firewalls/packet-captures-vpn-traffic-on-asa/td-p/3083656 ... View more

What are you referring to when you say "filtering function"?  If you're referring to traffic not matching an ACL, that traffic will be dropped, which I guess you could say it fails closed.  If you're referring to the ASA itself failing, then that is definitely closed as the device won't be passing traffic at that point. ... View more

I recommend trying the following things 1. run a packet tracer and see what step is failing 2. run debugs: debug cryp isa sa 127 and deb cryp ipsec sa 127 - while these are running, attempt ping across the tunnel and attach to output to this thread ... View more

Is this a brand new switch, or did you get it used?  I have 2 of these in my network, brand new, and neither of them had an enable password configured upon first power on. ... View more

The NAT statement that RJI suggested for your ASA is called an Identity NAT, if I'm not mistaken, and needs to be configured in the global configuration, not as part of your network object.   Take a look at this document for further details on ASA NAT types. https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-basics.html   Cheers!     ... View more