Wireless Access

I am trying to configure split tunnel over a RAP-2, and I'm 98% of the way there but I still have one thing I can't get to work.

On the controller I have configured a Policy with the rules:
     any     any     svc-dhcp     permit
     user     alias(Destinations_internal_networks)    any     permit
     any     any     any     route src-nat

I am able to tunnel in from the remote site to the main office on the internal networks, and all other network traffic is being routed out to the Internet via the local network. However, I am unable to access local resources such as my wireless printer or network shares. I can ping anything on the local network (192.168.2.0/24), but the connections won't come up.

Any suggestions?

How are you trying to connect to those printers, via IP or name ? 

Can you do a show datapath session table <ipaddress> ?

I'm trying to connect by name, though IP may be an option if it's the only way.

The show datapath command on the controller comes up empty.

Are you already able to access those by printers name through the wire with that same laptop ?

You may have to change the LMHOST file if you are using a Windows laptop 

Normally I connect wirelessly with my laptop over my local SSID and it works fine.  When I change to the RAP SSID, I get all the network functionality as stated earlier, but my printer icon greys out and goes offline (although I can still ping it).

I'll look into the LMHOST file.  Can you give a little guidance on what to put in there?

Try the following under the user-role and see if this helps :

Create an Alias 

(controller) (config) #netdestination LOCAL-SEGMENT

(controller) (config-dest) # network 192.168.0.0 255.255.0.0

Create an ACL allowing this traffic 

(controller)#ip access-list session ALLOW-LOCAL-SEGMENT

(controller) (config-sess-ALLOW-LOCAL-SEGMENT)#any alias  LOCAL-SEGMENT any permit

And turn on under the System profile of the RAP AP-Group

If this doesn't work you may have to do by IP or open a TAC case to see if there's anything else you might need to do.

I'll give that a try tonight and let you know how it works.  Thanks for all your help!

Just one more question -- in that final command (any alias LOCAL-SEGMENT any permit), can you confirm "permit"?  Wouldn't that send the packet through the tunnel to the office internal network, when I want it to remain local?

---

@Gawain wrote:

Just one more question -- in that final command (any alias LOCAL-SEGMENT any permit), can you confirm "permit"?  Wouldn't that send the packet through the tunnel to the office internal network, when I want it to remain local?

---

The "permit" action should send the traffic into the tunnel.  The Remote-AP local network access command should accomplish the following...FYI:

The remote-AP local network access feature allows local network access between clients connected to a RAP without routing the traffic back to the controller. When two clients that are connected to a split-tunnel SSID or wired port are on the same VLAN, the traffic between them always is switched locally. However, if these two clients are on different VLANs, the traffic is routed via the controller. When remote-AP local network access is enabled, the RAP switches the traffic locally instead of routing the traffic back and forth through the controller. Similarly, for bridge mode clients on different VLANs, the remote-AP local network access feature switches the traffic locally instead of forwarding it to the upstream router when the “user any any route src-nat” firewall rule is triggered.