If I understand the problem correctly, you want remote users using cisco vpn client to login into a local database on the PIX.

Here is a link to the document I used for basic config:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

ignore the pptp and mppe items

add this line to the config:

crypto map (the crypto map name )client authentication LOCAL

make sure and create some users using the username command

in the pdm you can set this as follows:

config - vpn - ike - xauth/mode config

Interface = outside

modeconfig = initiate + respond

xauth server = LOCAL

server token = no

here is a quick example for command line config

one time config lines-------------------------

sysopt connection permit-ipsec

isakmp enable outside

general tunnel policies-------------------------------------------

crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set vpn-set

crypto map vpn-map 20 ipsec-isakmp dynamic dynmap

crypto map vpn-map client configuration address initiate

crypto map vpn-map client configuration address respond

crypto map vpn-map interface outside

crypto map vpn-map client authentication LOCAL

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Group Policies-----------------------------------

ip local pool vpnpool 10.1.1.1-10.1.1.10

vpngroup vpn address-pool vpnpool

vpngroup vpn dns-server 192.168.1.12 192.168.1.13

vpngroup vpn wins-server 192.168.1.3 192.168.1.4

vpngroup vpn default-domain yourdomain.com

vpngroup vpn idle-time 1800

vpngroup vpn password cisco123

The xauth and ezvpn confused me as well, but for client vpn and local db authentication, the big catch is setting the crypto map option.

crypto map vpn-map client authentication LOCAL