Q: What is the difference between "ip nat inside" and "ip nat outside" feature on Aruba Mobility Controller?
A: Functionality wise "ip nat inside" and "ip nat outside" does the same function which is source NAT. The difference between them is explained in the below example
IP NAT OUTSIDE:
In the above example we have 6 VLANs on the controller. Here VLAN 1 is the management VLAN of the controller. VLAN 2 is the uplink/egress VLAN and the default gateway of the controller. "ip nat outside" is configured on VLAN 2. In this example when there is any packet destined from any of the downlink VLANs to network which hits the route "S* 0.0.0.0/0 [1/0] via 2.2.2.1*" on the routing table of the controller then the source ip of the packet is NATed with the interface ip of the egress VLAN of the controller where the "ip nat outside" is configured.
Let us consider if there is a computer on VLAN 3 with an ip address of 3.3.3.10 and trying to ping 90.1.1.1 device. This hits the the route "S* 0.0.0.0/0 [1/0] via 2.2.2.1*" on the routing table of the controller. When we take a packet capture on the device with the ip 90.1.1.1 then the icmp request packet will contain the source ip as the interface ip 2.2.2.2 of VLAN 2 and the destination ip as 90.1.1.1. This applies to the other internal VLANs on the controllers provided in this example.
Now let us consider if there is a computer on VLAN 3 with an ip address of 3.3.3.10 and trying to ping 6.6.6.10 device. When we take a packet capture on the device with the ip 6.6.6.10 then the icmp request packet will contain the source ip as the interface ip 3.3.3.10 of VLAN 2 and the destination ip as 6.6.6.10. No NAT happens in this case.
IP NAT INSIDE:
In the above example we have 6 VLANs on the controller. Here VLAN 1 is the management VLAN of the controller. VLAN 2 is the uplink/egress VLAN and the default gateway of the controller. In this example when there is any packet destined from any of the downlink VLANs where "ip nat inside" is configured to network which hits the route "S* 0.0.0.0/0 [1/0] via 2.2.2.1*" on the routing table of the controller then the source ip of the packet is NATed with the interface ip of the Management VLAN of the controller always. We do not have an option to use any other VLAN
Let us consider "ip nat inside" is configured only on interface VLAN 3. If there is a computer on VLAN 3 with an ip address of 3.3.3.10 and trying to ping 90.1.1.1 device which hits the the route "S* 0.0.0.0/0 [1/0] via 2.2.2.1*" on the routing table of the controller. When we take a packet capture on the device with the ip 90.1.1.1 then the icmp request packet will contain the source ip as the interface ip 1.1.1.1 of VLAN 1(Mgmt VLAN) and the destination ip as 90.1.1.1. This applies to only to the interface VLANs where "ip nat inside" is configured.
Now let us consider if there is a computer on VLAN 3 with an ip address of 3.3.3.10 and trying to ping 6.6.6.10 device. When we take a packet capture on the device with the ip 6.6.6.10 then the icmp request packet will contain the source ip as the interface ip 1.1.1.1 of VLAN 1(Mgmt VLAN) and the destination ip as 6.6.6.10. Source NATing happens in this case.
Configuration Difference:
1. "ip nat outside" should be configured only on the Egress VLAN interface on the controller which holds the gateway of the controller.
2. "ip nat inside" should be configured on each and every VLAN interface where the traffic required to be Source NATed.