You will first need a static NAT for the vpn device, then you will need to add an acl:
access-list VPN-IN permit ah any host x.x.x.x
access-list VPN-IN permit esp any host x.x.x.x
access-list VPN-IN permit udp any host x.x.x.x eq isakmp
the 'host x.x.x.x' should be the global address (NATTED Address) of the cisco 1700.
Assuming you are terminating with another VPN device on the internet you would want to apply the ACL to the outside interface.
If this is for a site-to-site you can change the keyword 'any' in ACL with 'host x.x.x.x' which would be the other vpn device. If this is for a remote-access VPN then leave the 'any' keyword, as would not know the ip of clients connecting.