Hello Michael
If the ASA is not encrypting this traffic it could be because there’s a problem with the NAT configuration as you mentioned.
When the ASA receives a packet, it will first check if there is an ACLs that allows the traffic, then it will pass it through inspection engines and check if there is any NAT associated with it. If for example the packet is being NATed, then the encryption will never take place.
First of all, make sure that the packets from the remote network are really reaching the ASA, and that the NAT rule is correct. Also, try taking a look at ‘‘debug cry isa 127’’ and ‘‘debug cry ips 127’’ debugs to check for any errors.
Take a look at this lesson for more insight:
And take a look at some of the previous responses in the forum, you may find some info that is useful, such as the following:
I hope this has been helpful!
Laz