Hello Warren,
I've implemented a tunnel in the scenario you describe.
The VPN tunnel was between a 3005 concentrator and a PIX 501 using IPSec. The PIX was configured to use PPPoE on the external interface. The PIX was connected to a DLink302G (I think!) Ethernet/DSL modem which supports RFC1483 bridging enabling it to connect to PPPoA as used by the DSL connection.
Here is the abreviated config of the 501
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list v3vpn permit ip 192.168.1.0 255.255.255.0 172.16.254.0 255.255.255.0
ip address outside xx.xx.xx.xx 255.255.255.255 pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
crypto ipsec transform-set vpnaps esp-des esp-md5-hmac
crypto map VPNTunnel 10 ipsec-isakmp
crypto map VPNTunnel 10 match address v3vpn
crypto map VPNTunnel 10 set peer yy.yy.yy.yy
crypto map VPNTunnel 10 set transform-set vpnaps
crypto map VPNTunnel interface outside
isakmp enable outside
isakmp key ******** address yy.yy.yy.yy netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpdn group dsllink request dialout pppoe
vpdn group dsllink localname userid@domain
vpdn group dsllink ppp authentication chap
vpdn username userid@domain password user-password
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns ??
dhcpd wins ??
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain-name
dhcpd enable inside
This should work quite happily with a PIX at the other end as well as a 3005. If the DSL IP address is not static you will have to configure the remote end to accept any IP address. The DLink302G is no longer available but other Ethernet/DSL modems with RFC1483 support are available.
With a little modification this config can be used to service remote VPN clients connecting to the PIX.
Hope this helps.
Clive