There are 2 places on a Cisco ASA where NAT-T needs to be turned on.


The ASA has to be "allowed" to use NAT-T (first setting), then it needs to be enabled for a specific site-to-site connection.


Here is a table showing the results of the combined settings:


nat-table-vns3.png


FIRST - NAT-T must be enabled in IKE Parameters in order for any connection to have NAT-T working 


cisco1.png


NEXT - EnableNAT-T  on the individual crypto map for the IPSec connection.


 cisco2.png


NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.