Thanks for the response,

Local inside net:          172.21.25.0

Remote inside net:      172.21.19.0

Here is the config with some of the public ips x'd out. This is after I have removed some of the existing access-list entries, but it has not helped.

show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 3Y9D/DwZygxo3IfJ encrypted
passwd e0uB24QwDhBEEUhy encrypted
hostname fw1
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.21.25.36 printer-prv
name 172.21.25.39 mail-prv
name 172.21.25.1 mail-prv-old
name 68.186.x.x sbs01-pub
name 172.21.25.25 sbs01-prv
name 172.21.25.95 timeclock
access-list acl_out permit icmp any any echo 
access-list acl_out permit icmp any any echo-reply 
access-list acl_out permit icmp any any unreachable 
access-list acl_out permit icmp any any time-exceeded 
access-list acl_out permit tcp any host 68.186.x.x eq smtp 
access-list acl_out permit tcp any host 68.186.x.x eq lpd 
access-list acl_out permit tcp any host sbs01-pub eq smtp 
access-list acl_out permit tcp any host sbs01-pub eq https 
access-list acl_out permit tcp any host sbs01-pub eq 444 
access-list acl_out permit tcp any host sbs01-pub eq 3389 
access-list acl_out permit tcp any host sbs01-pub eq 4125 
access-list acl_out permit tcp any interface outside eq 2500 
access-list acl_in permit ip any any 
access-list acl_in permit icmp any any 
access-list acl_in permit ip 172.21.25.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list 101 permit ip 172.21.25.0 255.255.255.0 172.21.19.0 255.255.255.0 
access-list NoNAT permit ip 172.21.25.0 255.255.255.0 172.21.19.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.186.x.x 255.255.255.248
ip address inside 172.21.25.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSEC-CLIENT 192.168.250.50-192.168.250.250
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 0 172.0.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 68.186.x.x smtp mail-prv smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp 68.186.x.x lpd printer-prv lpd netmask 255.255.255.255 0 0 
static (inside,outside) tcp 68.186.x.x 2500 timeclock 2500 netmask 255.255.255.255 0 0 
static (inside,outside) sbs01-pub sbs01-prv netmask 255.255.255.255 0 0 
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 68.186.x.x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server RADIUS (inside) host mail-prv radiuskey timeout 5
aaa-server LOCAL protocol local 
http server enable
http 172.21.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set DES esp-des esp-md5-hmac 
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac 
crypto ipsec transform-set nuwest2nucal esp-3des esp-md5-hmac 
crypto ipsec transform-set nuwest2jswest esp-3des esp-md5-hmac 
crypto dynamic-map vpnclient 5 set transform-set 3DES
crypto map partner-map 20 ipsec-isakmp dynamic vpnclient
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication RADIUS
crypto map jswest 67 ipsec-isakmp
crypto map jswest 67 set pfs 
crypto map jswest 67 set peer 12.234.x.x
crypto map jswest 67 set transform-set nuwest2jswest
crypto map nucal 68 ipsec-isakmp
crypto map nucal 68 match address acl_in
crypto map nucal 68 set pfs 
crypto map nucal 68 set peer 66.x.x.x
crypto map nucal 68 set transform-set nuwest2nucal
crypto map jswest2 1 ipsec-isakmp
crypto map jswest2 1 match address 101
crypto map jswest2 1 set peer 12.237.x.x
crypto map jswest2 1 set transform-set nuwest2jswest
crypto map jswest2 interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 
isakmp key ******** address 12.234.x.x netmask 255.255.255.255 
isakmp key ******** address 66.x.x.x netmask 255.255.255.255 
isakmp key ******** address 12.237.x.x netmask 255.255.255.255 
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800

Great, I had missed that!

I have changed the inside interface to 172.21.25.254 255.255.255.0

That did not solve the problem immediately. I'm wondering if this also needs to change:

global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 0 172.0.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The NAT statement is OK.

Don't think you need the following, but it doesn't overlap with the others:

nat (inside) 0 172.0.0.0 255.255.0.0 0 0

Also, just confirming that your inside host has also been changed with a subnet mask of 255.255.255.0

Try to "clear xlate", and clear the tunnel, and check the status again.

This time it should trigger some debugs. Please collect debugs if it still is not working, and also the output of the following:

show cry isa sa

show cry ipsec sa

Thanks for the help, the problem with the no debugs was that the remote side had the wrong peer ip address configured.

It seems like the src and dest are mixed up. The firewall that shows this debug is the 68.186 ip.

Here's the error:

crypto_isakmp_process_block:src:12.237.x.x, dest:68.186.x.x spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3879443632

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 68.186.x.x, src= 12.237.x.x,
    dest_proxy= 171.21.25.0/255.255.255.0/0/0 (type=4),
    src_proxy= 172.21.19.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 68.186.x.x, src= 12.237.x.x,
    dest_proxy= 172.21.19.0/255.255.255.0/0/0 (type=4),
    src_proxy= 171.21.25.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS

With the following error:

IPSEC(validate_transform_proposal): proxy identities not supported

It seems that the remote and local LAN does not match between the PIX and the remote site.

On the PIX, you have the following configured:

access-list 101 permit ip 172.21.25.0 255.255.255.0 172.21.19.0 255.255.255.0

The remote end needs to have the exact mirror image of the above ACL, so it should look something like this:

access-list permit ip 172.21.19.0 255.255.255.0 172.21.25.0 255.255.255.0

What is the remote device btw?