hi all,
for those who were unable to understand my question and even for those were about to answer. I have finally completed what i wanted to do. so i thought i should share it.
i did the following:
\\-Define a conditional nat process to nat 172.16.10.1 to 10.10.10.2, but only if going to destination 172.20.10.2
access-list conditional_nat permit ip host 172.16.10.1 host 172.20.10.2
global (outside) 20 x.x.10.2
nat (inside) 20 access-list conditional_nat
\\-Define traffic to be encrypted. This now includes the natted 10.10.10.2 address and not the original host IP
access-list special_vpn permit ip host 10.10.10.2 host 172.20.10.2
crypto map yourmap match address special_vpn
crypto map yourmap set peer 209.x.x.71
\\-- restrict outbound VPN to only ftp
access-list outbound_restrict permit tcp host 172.16.10.1 host 172.20.10.2 eq ftp
access-list outbound_restrict permit tcp host 172.16.10.1 host 172.20.10.2 eq ftp-data
access-list outbound_restrict deny ip host 172.16.10.1 host 172.20.10.2
access-list outbound_restrict permit ip any any
access-group outbound_restrict in interface inside
hope this helps to anyone like me.