ArubaOS and Controllers

New Contributor

RAP unable to split tunnel properly

Hi All,

I am having a problem with RAP in a split tunnel setup. RAP is connected to remote branch ( and is able to connect successfully to the right profile and role. I have 3 requirements.

1) User at remote branch is able to get IP from branch’s DHCP server (done! Using 1st rule)
2) User is able to surf internet using branch’s internet access (done! Using last rule)
3) User is able to tunnel back to HQ via RAP (unable to Src-NAT properly) I am unable to ping any HQ ip address.

I have tried to use svc-icmp and src-nat with IP Pool but is unable to ping to HQ. What is the requirement for NAT to happen to go into the HQ since HQ do not have a route to my branch in the core switch?

ip access-list session Splittunnel
any any svc-dhcp route src-nat ---> get local dhcp
any network any route src-nat -->access remote branch servers
any network any permit--->Access HQ, but this rule doesn't seem to NAT to controller interface IP thus unroutable.
any any any route src-nat ---->access internet

Been on this problem a few days. need some urgent help
Aruba Employee

Re: RAP unable to split tunnel properly

"any network any permit--->Access HQ, but this rule doesn't seem to NAT to controller interface IP thus unroutable."

You show your mask as a /16, is this supposed to be a /24?

Also, that rule won't NAT to the controller interface IP, that rule just says to push all traffic bound to (the way it's currently shown) down the tunnel to the controller and route from there.

There's probably a way to NAT this on the controller, but the way I've done my RAP designs (for full tunnel or split-tunnel) is to give the clients connected the RAP an IP address from within the VLAN that assigned to the RAP's VAP or wired port. The DHCP server in that case is on the controller (Corporate) side of the network and the VLAN is defined on the network. Then use static routes or OSPF to ensure the Corporate side of the network knows to use the controller to get to that VLAN.

For example, all your branch LANs could be, but your RAP VAPs and wired ports could be in VLAN 10, which is defined on the controller and in subnet Use a corporate DHCP server to give out addresses for that network and use an IP helper on the controller VLAN. All clients on the RAP get an address in Put a static on the next-hop inside your Corporate network pointing to the controller or use OSPF to get in your Corporate network. Change your policy to read:

ip access-list session Splittunnel
any any svc-dhcp permit (DHCP from Corporate side)
any network any permit (access Corporate network)
any any any route src-nat (bridge everything else and src-nat to RAP WAN port)

Hope that helps.
New Contributor


Hi Mike,

Thanks for the advise, yes there was a typo there, it is

I have this question in my mind that i cannot get any answers, is it possible or not possible, that Aruba cannot NAT an address that it does not know? Example is the address at the branch.
Guru Elite

Re: RAP unable to split tunnel properly

It can NAT any address.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide