Okay.
Let's get your topology straight:
- You have Enterprise Clients in Split-tunnel mode so that their traffic can go to corporate, print locally, or be source-natted out to the internet
- You have a printer in bridged mode so that it can be on the local subnet, but reachable by split-tunneled clients.
What you need to do is:
- Turn on RAP-Local Bridging
- Use the "localip" alias to permit traffic, instead of source-natting it
You need to insert this rule BOTH the split-tunneled enterprise role, as well as the printer wired role.
user alias localip any permit.
The localip alias pertains to any ip address that is in the route-cache of the RAP. A RAP has IP visibility of any device that is either split-tunneled or bridged because the traffic is decrypted and can be handled by the RAP. The localip alias, in combination with RAP local bridging will allow traffic between clients on the same RAP without source natting, which might solve your printer issue.
Please try this and see if it works.