Question : route-map nonat permit ???

I have a routing problem but before I post the problem itself I've got a series of questions about the configuration.

In the following configuration, what do the last two lines of this four-line set do:

access-list 129 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 129

Full configuration:

Building configuration...

Current configuration : n bytes
!
version n.n
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname larson
!
boot system flash *
enable password **
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 12
hash md5
authentication pre-share
crypto isakmp key letmein! address 205.209.38.253
!
!
crypto ipsec transform-set larson esp-des esp-md5-hmac
!
crypto map nolan 12 ipsec-isakmp
set peer 205.209.38.253
set transform-set larson
match address 119
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.98.0.254 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation isl 100
ip address 210.200.56.23 255.255.255.240
no ip redirects
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip route-cache
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
crypto map nolan
!
interface Serial0/0.1 point-to-point
ip address 210.110.128.242 255.255.255.252
ip nat outside
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 13 IETF
crypto map nolan
!
ip nat inside source list 100 interface FastEthernet0/0.1 overload
ip nat inside source static tcp 10.98.0.2 2457 210.200.56.22 2457 extendable
ip nat inside source static tcp 10.98.0.1 2457 210.200.56.21 2457 extendable
ip nat inside source static tcp 10.98.0.254 23 210.200.56.19 23 extendable
ip nat outside source static 10.217.250.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.110.128.241
ip http server
ip pim bidir-enable
!
access-list 100 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 100 permit ip 10.98.0.0 0.0.255.255 any
access-list 119 permit ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 119 deny ip 10.98.0.0 0.0.255.255 any
access-list 129 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 129
!
!
snmp-server community *
snmp-server community *
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C

!
line con 0
line aux 0
line vty 0 4
password ********
login
!
end

Answer : route-map nonat permit ???

Since you have a lan-lan VPN configured, you don't want the traffic to be natted, so you create an access-list that denies the traffic from your local lan to the remote lan, and permit all others. This access-list is applied to a route-map "nonat" (No NAT) which says that if the traffic matches the access-list #129, then those packets are not natted.
These 4 lines (should) go with this one:

>ip nat inside source list 100 interface FastEthernet0/0.1 overload

Which I would expect to read:
ip nat inside source route-map nonat interface FastEthernet0/0.1 overload

Obviously, since the route-map is not applied those 4 lines are not doing anything at this time.
Instead, you are accomplishing the same thing with access-list 100 that IS applied to the NAT process

Random Solutions

No DSN SRV records for AD

CHILD DOMAIN DNS

192.168.22.X on public internet?

Cisco Catalyst 2900 > HyperTerminal help

How to findout the network ID and Broadcast ID from this IP?

V2i Protector won't work without my user name and password for target machine on my network, I didn't set one.

Cisco Discovery Protocol

Getting NDR 3030 Errors for all emails sent to One specific Mail Domain mail.charter.net - SMTP unable to authenticate

Can ping but can't see other servers on VPN

How do I specify the preferred network adapter?