It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address ".

vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.

e.g.

interface Ethernet0

ip address

ip nat inside

interface Dialer0

ip address

ip nat outside

when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.

access-list 101 deny ip

access-list 101 permit ip any

ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10

match ip address 101

with the sample above,

"access-list 101 deny ip " means the router will not nat/pat any traffic destinated at the remote net.

"access-list 101 permit ip any" means the router will nat/pat all other traffic e.g. internet

"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat

"route-map nonat permit 10

match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.