if running code 7.x or above add ipsec pass-thru to global polciy for IPsec pass trhough
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1740887
pix-asa(config)# policy-map global_policy
pix-asa(config-pmap)# class inspection_default
pix-asa(config-pmap-c)# inspect ipsec-pass-thru
pix-asa(config-pmap-c)#exit
If PIX code 6.x you need to allow udp 500 (isakmp) , udp 4500 (nat-t) and esp protocol 50
Jorge Rodriguez