Question : route-map nonat permit ???

I have a routing problem but before I post the problem itself I've got a series of questions about the configuration.

In the following configuration, what do the last two lines of this four-line set do:


access-list 129 deny   ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 129



Full configuration:

Building configuration...

Current configuration : n bytes
!
version n.n
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname larson
!
boot system flash *******
enable password **********
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 12
 hash md5
 authentication pre-share
crypto isakmp key letmein! address 205.209.38.253
!
!
crypto ipsec transform-set larson esp-des esp-md5-hmac
!
crypto map nolan 12 ipsec-isakmp
 set peer 205.209.38.253
 set transform-set larson
 match address 119
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.98.0.254 255.255.0.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation isl 100
 ip address 210.200.56.23 255.255.255.240
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 210.110.128.242 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 13 IETF
 crypto map nolan
!
ip nat inside source list 100 interface FastEthernet0/0.1 overload
ip nat inside source static tcp 10.98.0.2 2457 210.200.56.22 2457 extendable
ip nat inside source static tcp 10.98.0.1 2457 210.200.56.21 2457 extendable
ip nat inside source static tcp 10.98.0.254 23 210.200.56.19 23 extendable
ip nat outside source static 10.217.250.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.110.128.241
ip http server
ip pim bidir-enable
!
access-list 100 deny   ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 100 permit ip 10.98.0.0 0.0.255.255 any
access-list 119 permit ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 119 deny   ip 10.98.0.0 0.0.255.255 any
access-list 129 deny   ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 129
!
!
snmp-server community *****
snmp-server community *****
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C

!
line con 0
line aux 0
line vty 0 4
 password **********
 login
!
end

Answer : route-map nonat permit ???

Since you have a lan-lan VPN configured, you don't want the traffic to be natted, so you create an access-list that denies the traffic from your local lan to the remote lan, and permit all others. This access-list is applied to a route-map "nonat" (No NAT) which says that if the traffic matches the access-list #129, then those packets are not natted.
These 4 lines (should) go with this one:

>ip nat inside source list 100 interface FastEthernet0/0.1 overload

Which I would expect to read:
ip nat inside source route-map nonat interface FastEthernet0/0.1 overload

Obviously, since the route-map is not applied those 4 lines are not doing anything at this time.
Instead, you are accomplishing the same thing with access-list 100 that IS applied to the NAT process