Thanks for the quick response olino and you’ll see from my posts I don’t have much experience with Aruba. I had to wait until after hours to try to apply the changes as the controller is live and I didn’t want to take down the uplink somehow, but I never got your suggestions to work. Let me explain my network architecture a bit more and then what I tried.
Subnet provided by ISP for use: 10.0.0.1/28
Controller IP: 10.0.0.2
Controller Default Gateway: 10.0.0.1
VLAN 1: IP 10.0.0.2/24 on gig 1/0
VLAN 2: IP 172.16.1.1/24 on gig 1/1 ip NAT inside
Prior to attempting your recommendations, there were absolutely no NAT-Pools in my config other than this one:
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
I’m not sure what in the config was already making src nat work to cause VLAN2 to be natted behind VLAN1. I don’t have any user roles or wired AAA profiles applied to either VLAN1 or VLAN2, rather on gig1/0 I have an access-list allowing inbound natt, https, ssh, icmp, and port 4343 to the controller IP. On gig1/1 (VLAN2) I have no access-list nor is the VLAN assigned to any user role and none of the IPs on that VLAN show under the user list.
So my first question is what is making this work NAT-wise in the first place? I get that the controller’s default gateway lives on the same subnet as the ip on VLAN1 so is that doing it by default? I do have one entry in the Uplink Management Table that shows VLAN1 as a wired uplink but the manager is disabled so I don’t think that is it.
And now I want to use my additional provided external ip addresses 10.0.0.3 and 10.0.0.4 on the controller to NAT to different devices on VLAN2. I created the NAT Pools leaving the “Destination NAT IP” blank although I’m curious what putting something in that destination nat ip address does?
ip nat pool <name1> 10.0.0.3 10.0.0.4
Then I created VLAN 3 and applied it to gig 1/2 without assigning an IP to it and I connected it to the same switch that my uplink VLAN1 (10.0.0.2) is configured to. Then I created a session access list to dst-nat the ports that I need:
ip-access list session <inbound-name>
host 10.0.0.3 any svc-http dst-nat ip 172.16.1.10
host 10.0.0.3 any svc-https dst-nat ip 172.16.1.10
Then I applied that as the session firewall policy on port gig 1/2. I presumed that since the devices behind VLAN2 were already src-natting through VLAN1 I couldn’t add another src-nat rule for devices behind VLAN2.
I’m sure I’m way off the mark here as I didn’t have any luck. Do I need to apply aaa profiles to the wired ports on the controller?
Thanks again, I really appreciate the advice.