I opened a TAC case on a similar problem recently. The upshot of the case is that the PIX doesn't support VPNs when the client is behind a device doing PAT.
Here's what the TAC tech had to say about it:
*** CASE LOG 31-MAY-2002 07:27:45 PST ***
Called Kevin. The user that has the problem can connect when he tested it just outside the firewall going through an isp, but when she goes home behind a cable modem she cannot connect. He suspects they are patting her out which the pix does not support. Kevin thanked me for the help and gave the ok to close this case.
AND THIS IS FROM AN EMAIL HE SENT TO ME::
"Unfortunately the options you are talking about are only for tunnels being terminated on a Concentrator. The Pix does not support these. An example of using these is if you had a vpn client behind a pix that was patting them out and the tunnel is terminating on a vpn Concentrator. You would then want to check 'Allow IPSec over UDP' or 'Use IPSec over TCP' depending on what you configure on the Concentrator."
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...