I am trying to setup all the internal users get NAT when they want to go to 10.10.10.10 but all the other traffics not get NAT.

Do you have a pool of Public IPs or just one Public IP. If you have a pool of IPs you need to create a NAT pool.

ip nat pool NATtraffic X.X.X.X Y.Y.Y.Y prefix-length /ZZ

access-list <100-199> permit ip A.A.A.A B.B.B.B host 10.10.10.10

ip nat inside source list <100-199> pool NATtraffic overload <--- overload reqd only for PAT.

where,

X.X.X.X is the public IP start address,

Y.Y.Y.Y is the public IP end address

X.X.X.X = Y.Y.Y.Y if you are using PAT using single IP address.

ZZ is the subnet mask in decimal format.

Note that the access-list number is in the range 100-199, which is an extended ACL. So this ACL will have the source specified as your internal subnet A.A.A.A (with subnet mask B.B.B.B) and destination address as 10.10.10.10.

Overload is required only for PAT.

Hope that helps!

That is exactly what I have for the router, but once the same source got NAT then it will always got NAT even if it went to another destination IP which is not 10.10.10.10.

We only want the source got NAT when it goes to 10.10.10.10.

Seems the extended ACL works as long as the source doesn't go to 10.10.10.10, but once source goes to 10.10.10.10 then the source will get NAT no matter where it goes.

You will need to use route maps.

Try the following

ip nat pool NAT_Address x.x.x.x x.x.x.x

ip nat inside source route-map NAT pool NAT_Address overload

access-list 100 permit ip any host 10.10.10.10

route-map WAN permit 10

match ip address 100

check

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

you can user route-map to do this

here is an example

ip nat inside source route-map NONAT interface ***** overload

access-list 120 permit ip all user IP address host 10.10.10.10

access-list 120 deny ip any any

route-map NONAT permit 20

match ip address 120

Good luck

Ken