Teymur
Something like the following will do. Important thing is that you nat before encrypt. Therefore, we nat to 172.16.13.56/29 and then encrypt this traffic towards 172.17.0.130. At the server side, encrypt back to the 172.16.13.56/29 subnet.
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 172.16.2.2
!
crypto map vpn1 10 ipsec-isakmp
set peer 172.16.2.2
set transform-set only-esp
match address vpn-traffic
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Ethernet1/0
ip address 172.16.1.1 255.255.255.252
ip nat outside
crypto map vpn1
!
ip nat pool mswpool 172.16.13.56 172.16.13.63 netmask 255.255.255.248
ip nat inside source list nat-ipsec pool mswpool
ip route 0.0.0.0 0.0.0.0 172.16.1.254
!
ip access-list extended nat-ipsec
permit ip 192.168.10.0 0.0.255.255 172.17.0.130 255.255.255.255
ip access-list extended vpn-traffic
permit ip 172.16.13.56 0.0.0.7 172.17.0.130 255.255.255.255
Matthew