How to configure role based Source-NAT policies for an SSID on Instant AP? How to troubleshoot?

Aruba Employee
Aruba Employee

Generally, the routing table mentioned in the IAP will be applicable to all SSID's. The configuration mentioned in this is considered in use cases, where you you have two or more SSID's and for SSID-1 you wanted the users corporate and internet traffic to get into VPN tunnel towards controller and then to Internet. Whereas, for the SSID-2, you want corporate traffic to get into tunnel and remaining outbound Internet Traffic to bridge locally.


  • Any destination / service can be configured to have direct Internet access (bypassing tunnel) via  ACL
  • Achieved via src-nat for the defined rule in the ACL
  • Src-NAT done by Virtual Controller using its uplink IP
  • Overrides the routing profile configuration
  • Provides functionality of different forwarding policies for different SSIDs

Environment : This article applies to all Aruba Instant Access Points running Aruba InstantOS version or later.




Following is the configuration for "SSID2", where the wireless users can access a part of the corporate network via tunnel and the outbound Internet traffic is bridged locally doing Src-Nat and then using IAPs uplink IP address.
  • Login to Web Interface of Instant AP
  • Create a New SSID or edit the existing SSID
  • On the "Access" tab, we would add a new rule to allow any service to specific corporate network.

rtaImage (1).jpg



Add an other rule that would Src-NAT and bridge rest of the outbound Internet traffic. As shown below:


rtaImage (2).jpg



Configuration on a Virtual Controller can be verified with the below commands from IAP console or on SSH connection:

VPN status from IAP to Controller:
  • Show VPN Config
  • Show VPN Status

To verify the SSID configuration:
  • Show running-config
To verify the Access-Rule and the list of ACL's:
  • Show access-rule <rule name>


To verify if the client traffic is getting Src-Natted:
  • Show datapath session 

(Filter with the Client IP address and look for Src-Nat flag)


Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 02:00 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: