Hi,
by default, when the 'sysopt permit ipsec' is enabled, no packets are filtered when they leave the VPN tunnel. So the remote site can access all services on the hosts you make available.
If you what to specify the traffic that is allowed from the VPN tunnel into your network, you have to disable the 'sysopt permit ipsec'. This will block all incoming vpn traffic. The next thing you have to do is to create an access-list that specifies the allowed traffic and apply it to you external interface.
Is you need to know which ports are necessary for printing, ... etc, you should enable logging and examine the log to see what packets are being dropped by the pix.
To enable syslog logging on the pix, use these commands:
logging host ip-address-syslog-server
logging trap 7 (7 = debug mode, 4= warning mode)
logging on
Kind Regards,
Tom