NOTE FROM BOB: I think this can be deleted. I combined two articles into one: "How do I configure a Cisco device to explicitly use native IPSec or NAT-T?".


There are 2 places on a Cisco ASA where NAT-T needs to be turned on.

The ASA has to be "allowed" to use NAT-T (first setting), then it needs to be enabled for a specific site-to-site connection.

Here is a table showing the results of the combined settings:


FIRST - NAT-T must be enabled in IKE Parameters in order for any connection to have NAT-T working


NEXT - EnableNAT-T  on the individual crypto map for the IPSec connection.


NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.