While you troubleshoot, it is always good practice to reapply crypto map on the outside interface and to clear older Security Associations with the use of the clear crypto sa command on the router and the clear isakmp sa command on the PIX Firewall. But, these commands bring down other tunnels and Security Associations are cleared for tunnels that exist.
On the PIX Firewall, always create and bind separate access-lists to NAT 0 and crypto map. NAT 0 and crypto ACLs should be identical but with a different sequence number.
Make sure that interesting traffic should be DENIED first in order to correct the NAT bypass order on routers, and the PERMIT statement should come in last. For example:
ip access-list extended nonat deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255 permit ip 192.168.15.0 0.0.0.255 any deny ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
Good Configuration ip access-list extended nonat deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255 permit ip 192.168.15.0 0.0.0.255 any
If PIX, ASA or Router is configured for LAN-to-LAN and VPN client access, make sure that dynamic crypto map comes in the last. For example, according to this configuration, LAN-to-LAN tunnel for peer 126.96.36.199 fails to come up, as PIX stops to look for actual peer once it hits dynamic crypto map according to sequence number. It is always a good idea to assign highest sequence number to dynamic maps, for example, 65535.