You haven't missed anything, there's nowhere to set the mask. The mask that is assigned is always the classful mask, 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address and so on.
The reason for this is that generally it doesn't matter. The VPN client simply sends everything over the tunnel with its 10.x.x.x address as the source, this then get's routed on your internal network and routed back to the PIX, which then sends it back to your client. The subnet mask never really comes into it.
The only time this causes problems is if your trying to get to a remote 10.x.x.x address, but your VPN client is sitting on a LAN that happens to be on a 10.x.x.x network also. The Microsoft OS sees this as being local (correctly), and rather than send the packet over the tunnel to the remote 10.x.x.x address, it sends it straight out the local adapter unencrypted where it usually gets lost.
If this is your case, simply change the IP pool on the PIX to be say, a 172.16.x.x address. As long as the PIX is your remote network's default gateway, those packets will be routed back to it and the PIX will do the rest. The IP pool can be anything, as long as that pool is eventually routed back to the PIX on your inside network then it'll all work.