Wireless Access

Occasional Contributor II

Split-tunnel on AP135 RAP mode

Hi  everyone


       I have question about  Diagram


Nokair Diagram.jpg


       The customer has requested   following :

 If client want to use internet traffic should be sent  to  IPsec tunnel  (red)

but  if client  want  to use copy file  on Server File sharing  traffic should be not sent to IPsec tunnel ,traffc should be route on router  not route on controller and sent to  Server Flile sharing


         I have define ACL following


user any udp 68 deny

any any svc-dhcp permit

user  network any permit

user any network  route src-nat


but not working




How to define ACL for working


Thank you





Re: Split-tunnel on AP135 RAP mode

I understand you right, you want to tunnel Internet traffic to the controller, but keep traffic destined to local resources to stay local (file sharing, etc.).  First make sure your virtual AP is in split-tunnel mode.


wlan virtual-ap <YOUR-VAP>

forward-mode split-tunnel


Try the following for appropriate role:


user any udp 68 deny

user any svc-dhcp permit

user network route src-nat

user any any permit


This will src-nat local traffic to through the AP-135 (RAP) and stay local.  All other traffic is sent to the controller via the "permit" action of the final rule.   


Systems Engineer, Northeast USA

Search Airheads
Showing results for 
Search instead for 
Did you mean: