This guide works on PIX version 8.0(3) firmware. Untested on earlier versions
Assumptions
Your side:
192.168.0.0/24 is your LAN internal subnet
100.100.100.100 is your PIX outside address (VPN peer address)
Counterparty side:
10.1.0.0/24 is their LAN internal subnet
200.200.200.200 is their VPN peer address
VPN:
10.2.0.0/24 is the subnet you need to NAT your LAN traffic into before your it enters the VPN tunnel
The PIX Config
#Define the "interesting" traffic for the VPN (what should be sent over the VPN)
#It is anything from 10.2.0.0/24 to 10.1.0.0/24
access-list ACL_OUTSIDE_CRYPTOMAP extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
#Define the crypto map
#Modify these example details to the IKE/IPSEC details agreed with your counterparty
crypto map outside_map 1 match address ACL_OUTSIDE_CRYPTOMAP
crypto map outside_map 1 set peer 200.200.200.200
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
#Define the Policy NAT for translating the source addresses of your LAN traffic for the VPN
#FROM: 192.168.0.0/24
#TO : 10.1.0.0/24 (VPN Peer's subnet)
access-list VPN_POLICY_NAT extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.255.0
#Now define a static translate for any traffic that matches the VPN_POLICY_NAT rule
#Traffic from your LAN subnet will be NAT'd to the source addresses 10.2.0.0/24
#This happens before the traffic enters the VPN tunnel so your peer will see the source
#addresses they require and you can keep your existing LAN addressing scheme
static (inside,outside) 10.2.0.0 access-list VPN_POLICY_NAT
#END
#It is anything from 10.2.0.0/24 to 10.1.0.0/24
access-list ACL_OUTSIDE_CRYPTOMAP extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
#Define the crypto map
#Modify these example details to the IKE/IPSEC details agreed with your counterparty
crypto map outside_map 1 match address ACL_OUTSIDE_CRYPTOMAP
crypto map outside_map 1 set peer 200.200.200.200
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
#Define the Policy NAT for translating the source addresses of your LAN traffic for the VPN
#FROM: 192.168.0.0/24
#TO : 10.1.0.0/24 (VPN Peer's subnet)
access-list VPN_POLICY_NAT extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.255.0
#Now define a static translate for any traffic that matches the VPN_POLICY_NAT rule
#Traffic from your LAN subnet will be NAT'd to the source addresses 10.2.0.0/24
#This happens before the traffic enters the VPN tunnel so your peer will see the source
#addresses they require and you can keep your existing LAN addressing scheme
static (inside,outside) 10.2.0.0 access-list VPN_POLICY_NAT
#END