Is the pix the vpn gateway, or is the traffic passing thru the pix to a gateway on the internal or dmz network?

If the pix is the gateway, you need to run code 6.3.3 or higher and run this command:

isakmp nat-traversal [natkeepalive]

Here is some more info about nat-traversal:

isakmp nat-traversal

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

If needed, the show isakmp sa detail command assists in debugging NAT traversal.

Note that only nat-t via udp is supported, not tcp. In addition, udp port 500 is used during the initial exchange and then udp port 4500 is used to complete phases 1 and 2 and to carry the user traffic.

Let me know if this helps.