There was a recent lab I was working through where Nat-T was the main focus. Basically there was a firewall behind the internet router. It looked a little something like this, but sub our R1 for a Cisco ASA:
The outside interface of my ASA was 10.0.0.1. R2 is my internet router and then it connects to R3 which belongs to my ISP. (Remember this is all a lab so addresses are hypothetical). Nat-T was not an option for the future of what I was working towards with this lab because I cannot always rely on the other end of VPN Tunnels to have it enabled. So I disabled it on my ASA. Everything in the documentation said that Nat-T needed to be enabled when the firewall was behind a router that was Nat’ing addresses. There is a big clarification that I finally found after putting thoughts from a couple of blogs together:
Nat Overload versus Static Nat.
When doing Nat overload, the Nat-t IS needed because different ports are being routed to difference hosts and the parts of the packet that the VPN tunnel uses are not able to be routed through this type of Nat translation. That being said, when static Nat is used and it is a one to one translation, the VPN tunnel WILL work, even with Nat-T turned off. This goes for tunneling, IPSEC client connections, and even AnyConnect. In this case my 10.0.0.1 IP of the outside interface was Nat’ed to a 75.X.X.X public IP that I had from my ISP when I tested this outside of the lab. Connections were still able to go through as desired.
Hope this post is found by someone looking for the same type of information that I was looking for! Good Luck and comment below if this helped!