There's a sample for a standard LAN-to-LAN tunnel between a PIX and VPN3000 here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Your's will a little different becasue you want to NAt all the traffic from the PIX before encrypting it, which is not the "normal" way to do it. It's not really any more difficult though when you take into consideration that NAT'ing happens BEFORE encryption within the PIX.

In the sample config you would not have the following line:

nat (inside) 0 access-list 101

because this is specifically telling the PIX not to NAT the encrypted traffic. You will set up policy-based NAT'ing instead, telling the PIX that any traffic from behind the PIX to behind the 3000 will be NAT'd to say, 1.1.1.1, and any other traffic outbound from the PIX will be NAT's as normal.

Using the IP addresses in the sample config, and as I said NAT'ing all the traffic to 1.1.1.1, you would add the following:

access-list l2ltraffic permit ip 10.13.1.0 255.255.255.0 10.31.1.0 255.255.255.0

nat (inside) 50 access-list l2ltraffic

global (outside) 50 1.1.1.1

So, all packets going from 10.13.1.0/24 to 10.31.1.0/24 will be NAT'd to 1.1.1.1. Now you need to tell the PIX to encrypt this traffic and send it over the tunnel (remember, the NAT'ing happens BEFORE the encryption). In the sample config, change access-list 101 to be the NAT'd traffic rather than the un-NAT'd traffic as follows:

access-list 101 permit ip host 1.1.1.1 10.31.1.0 255.255.255.0

That's it on the PIX. Now on the VPN3000 you have to define the Local and Remote networks under the LAN-to-LAN tunnel set up to be the reverse of the PIX crypto ACL (section 4 in the VPN3000 config section in the sample config). So, your Local Network is 10.31.1.0/24, and your Remote Network becomes simply 1.1.1.1/32.