As long as your IP range is getting routed to the Pix I dont see the problem of putting the device in the range of the 16 IPs. You can do portforwarding which is easy also. just dont put to waste you IP range
If you have any questions please ask. THe following are examples. Read over before implementing.
static (inside,outside) tcp interface 80 192.168.0.15 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 25 192.168.0.15 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 110 192.168.0.15 110 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 443 192.168.0.15 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.0.15 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.0.15 ftp-data netmask 255.255.255.255 0 0
access-list acl_outside permit tcp any interface outside eq 80
access-list acl_outside permit tcp any interface outside eq 443
access-list acl_outside permit tcp any interface outside eq ftp
access-list acl_outside permit tcp any interface outside eq ftp-data
access-list acl_outside permit tcp any interface outside eq 25
access-list acl_outside permit tcp any interface outside eq 110
****************************************************************************************
For Site to Site VPN Tunnel
Pix A
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list 110 permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-pptp
crypto ipsec transform-set cryptomapts1 esp-3des esp-md5-hmac
crypto map cryptomap1 10 ipsec-isakmp
crypto map cryptomap1 10 match address 110
crypto map cryptomap1 10 set peer x.x.x.x
crypto map cryptomap1 10 set transform-set cryptomapts1
crypto map IntellonOcalamap interface outside
isakmp enable outside
isakmp key sharedkey address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp keepalive 3600 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
xxx.xxx.xxx.xxx = Remote Pix IP. For more than 1 tunnel add another cryptomap instance.
access-list 111 permit ip 192.168.10.0 255.255.255.0 192.168.103.0 255.255.255.0
crypto map cryptomap1 11 ipsec-isakmp
crypto map cryptomap1 11 match address 111
crypto map cryptomap1 11 set peer x.x.x.x
crypto map cryptomap1 11 set transform-set cryptomapts1
isakmp key sharedkey address x.x.x.x netmask 255.255.255.255
Pix B
access-list 110 permit ip 192.168.102.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-pptp
crypto ipsec transform-set cryptomapts1 esp-3des esp-md5-hmac
crypto map cryptomap1 10 ipsec-isakmp
crypto map cryptomap1 10 match address 110
crypto map cryptomap1 10 set peer x.x.x.x
crypto map cryptomap1 10 set transform-set cryptomapts1
crypto map IntellonOcalamap interface outside
isakmp enable outside
isakmp key sharedkey address x.x.x.x netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp keepalive 3600 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400