NOTE FROM BOB: I think this can be deleted. I combined two articles into one: "How do I configure a Cisco device to explicitly use native IPSec or NAT-T?".
There are 2 places on a Cisco ASA where NAT-T needs to be turned on.
The ASA has to be "allowed" to use NAT-T (first setting), then it needs to be enabled for a specific site-to-site connection.
Here is a table showing the results of the combined settings:
FIRST - NAT-T must be enabled in IKE Parameters in order for any connection to have NAT-T working
NEXT - EnableNAT-T on the individual crypto map for the IPSec connection.
NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.