"show datapath session ap-name <name of ap> table"
With a remote AP, very little unsolicited traffic can get to the AP that did not first originate from the AP, the "session-acl" parameter in the AP system profile determines what unsolicited traffic can be sent to a RAP: http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/ap_system_profile.htm
By default it is the ap-uplink-acl, which has the following parameters:
ip access-list session ap-uplink-acl
any any udp 68 permit
any any svc-icmp permit
any host 224.0.0.251 udp 5353 permit
That allows the AP to receive DHCP, allows ping and allows MDNS traffic. You would make that ACL and allowall acl to allow more traffic unsolicited to your clients on a RAP. If your client's traffic is being source-natted from the RAP, local clients cannot reach your clients on a RAP, however.