Here's a sample of the config. We have a lot of static NAT's configured as well, but I removed them.

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpngroup local

aaa authorization network vpngroup local

aaa session-id common

ip subnet-zero

!

!

ip dhcp excluded-address 10.1.16.1 10.1.17.255

ip dhcp excluded-address 10.1.19.1 10.1.19.254

!

ip dhcp pool InternalNetwork

network 10.1.16.0 255.255.252.0

dns-server x.x.x.x x.x.x.x

default-router 10.1.16.1

lease 3

!

!

class-map match-all PriorityTraffic

match access-group 140

!

!

policy-map PriorityTrafficPolicy

class PriorityTraffic

bandwidth 512

class class-default

fair-queue

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key LAN_TO_LAN_KEY address x.x.x.x no-xauth

!

crypto isakmp client configuration group vpngroup

key vpnkey

pool Dynamic_Pool

acl vpnACL

!

!

crypto ipsec transform-set LAN_TO_LAN_Trans_Set esp-3des esp-md5-hmac

crypto ipsec transform-set VPN-Client-Transform-Set esp-3des esp-md5-hmac

!

!

crypto dynamic-map VPN-Dynamic-Map 10

set transform-set VPN-Client-Transform-Set

!

!

crypto map Remote isakmp authorization list vpngroup

crypto map Remote client configuration address respond

crypto map Remote 10 ipsec-isakmp

set peer 209.190.158.66

set transform-set LAN_TO_LAN_Trans_Set

match address 101

crypto map Remote 20 ipsec-isakmp dynamic VPN-Dynamic-Map

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Multilink1

ip address x.x.x.x 255.255.255.224 secondary

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

service-policy output PriorityTrafficPolicy

no cdp enable

ppp multilink

ppp multilink fragment disable

ppp multilink group 1

crypto map Remote

!

interface FastEthernet0

description LAN Segment

ip address 10.1.16.1 255.255.252.0

ip nat inside

ip virtual-reassembly

ip route-cache policy

ip policy route-map zlogo

speed auto

no cdp enable

!

interface Serial0:0

no ip address

encapsulation ppp

no fair-queue

no cdp enable

ppp multilink

ppp multilink group 1

!

interface Serial1:0

no ip address

encapsulation ppp

no fair-queue

no cdp enable

ppp multilink

ppp multilink group 1

!

ip local pool Dynamic_Pool 192.168.254.1 192.168.254.254

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip http server

no ip http secure-server

!

ip nat pool ovrld 67.129.179.102 67.129.179.102 prefix-length 30

ip nat inside source route-map nonat interface Multilink1 overload

!

!

!

ip access-list extended vpnACL

permit ip 10.1.16.0 0.0.3.255 192.168.254.0 0.0.0.255

access-list 7 permit 10.1.16.0 0.0.3.255

access-list 101 permit ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255

access-list 110 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255

access-list 110 deny ip host 10.1.16.80 any

access-list 110 deny ip host 10.1.16.81 any

access-list 110 deny ip host 10.1.17.112 any

access-list 110 deny ip host 10.1.17.56 any

access-list 110 permit ip 10.1.16.0 0.0.3.255 any

access-list 110 deny ip host 10.1.18.60 any

access-list 110 deny ip host 10.1.16.93 any

access-list 110 deny ip host 10.1.16.92 any

access-list 110 deny ip host 10.1.16.91 any

access-list 110 deny ip host 10.1.16.90 any

access-list 111 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255

access-list 111 permit ip 10.1.16.0 0.0.3.255 any

access-list 123 permit ip host 10.1.17.56 10.1.0.0 0.0.3.255

access-list 140 remark Traffic Prioritization

access-list 140 permit tcp any any range 6000 6010

access-list 140 permit udp any any range 6000 6010

access-list 140 remark Traffic Prioritization

!

route-map nonat permit 10

match ip address 111 110