I believe that a static NAT with an ACL to limit what ports to what addresses you need for this VPN to work should do the trick. Do you have any IDS sensors? If not make sure you log your hits to the ACL so you can track the traffic on the outside....
the 169.254.x.x address is the address which MS workstations will assign to themselves if they cannot get an IP address. What is the scope of your IP addresses on your DHCP server?