I'm trying to configure router-to-router ipsec tunnel but i don't understant what mean the command :
"route-map nonat permit 10"
Can somebody explain it to me clearly ?
vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.
ip nat inside
ip nat outside
when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.
access-list 101 deny ip
access-list 101 permit ip any
ip nat inside source route-map nonat interface Dialer0 overload
route-map nonat permit 10
match ip address 101
with the sample above,
"access-list 101 deny ip " means the router will not nat/pat any traffic destinated at the remote net.
"access-list 101 permit ip any" means the router will nat/pat all other traffic e.g. internet
"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat
"route-map nonat permit 10
match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.
It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address ".