VPN router configuration

[wilson2468]

We have a 3005 VPN concentrator connecting to a VPN?Firewall at a remote disaster site. I have no management capability of the remote device.

I am trying to move the tunnel from the concentrator to a router to see if the 3005 is a bottleneck.

I got a config off of Cisco's site and it looks straight forward enough.

I am stuck on the NATing part on the document.

It shows the following(the 172 network is the inside interface of router being configured, the 192 is the inside network of remote end of the tunnel):

Traffic to encrypt:

access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.50.0 0.0.0.255


Traffic to except from NAT process:

access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.50.0 0.0.0.255


My questions:

Why would I want to except the encrypted traffic from the nat process, it seems it HAS to be natted?

Or does it not matter because the other end is going to do the routing so I do not want to NAT, which would mean this statement is for the inside of the tunnel?

What do these commands do:

ip nat pool mypool 4.22.6.22 4.22.6.22 netmask 255.255.255.224
ip nat inside source route-map nonat pool mypool overload


and:

route-map nonat permit 10
match ip address 110

Thanks