There are 2 places on a Cisco ASA where NAT-T needs to be turned on.
The ASA has to be "allowed" to use NAT-T (first setting), then it needs to be enabled for a specific site-to-site connection.
Here is a table showing the results of the combined settings:
FIRST - NAT-T must be enabled in IKE Parameters in order for any connection to have NAT-T working
NEXT - EnableNAT-T on the individual crypto map for the IPSec connection.
NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.