I've been trying to figure this out for a while without much success, but now I have it.
If you have more than one public IP address, setting up your ASA to forward protocol 41 is easy; you just forward all IP traffic at your tunnel server (if it's behind a NAT)
If you only have one public IP address (like most home users) this becomes a little harder.
However, with the 8.3 release for the ASA's, this became possible.
object network local_endpoint
object network remote_endpoint
nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint
access-list tunnel extended permit 41 object remote_endpoint object local_endpoint
access-group tunnel in interface outside
All you need to do is change a.b.c.d and e.f.g.h to the appropriate IP addresses and copy and paste into a SSH/console session.
This setup assumes the following setup
The outside interface of the ASA has a public IP address and any device behind it has a private IP address.