Catalyst 3850 - Can you set a static route?

I have a Cisco Catalyst 3850 switch with a wireless router plugged into it.  The wireless AP is getting its WAN IP from the switch in the range of via DHCP.  It is handing out wireless IP addresses in the range of  Wireless devices can ping other devices on the switch with the addresses but not visa versa.  I believe this to be because the devices have no route to the wireless IPs.  Is there a way to set a route in the 3850 so the route to the wireless IPs is known?

In other words, if you are a device and you want to get to a wireless device on, use the DHCP assigned IP address that's on the wireless router to get there.

Thanks in advance for your thoughts.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
What kind of wireles AP is it?

Is it performing NAT for the wireless clients?  Is something else performing NAT?  If your NAT device is upstream, you will need to set a static route pointing to your wireless AP for any routers internal on your network

For example, if you have:

(1) Firewall - NAT Device
(5) routers
(10) switches

and the AP is connected to, lets say R1.  You will need to create a static route entry on R1 pointing to the wireless AP for the subnet for the wireles clients (  From there, you may need to configure those static routes (perhaps to R1, perhaps to something else) on other routers as well.  Alternatively, you can export your route.

A topography diagram would be helpful in this situation, to see exactly where everything is breaking down (if you want to do something in paint, that is fine).  If you could label devices as "NAT","Firewall","Router", "Switch" that would definitely help.
If you can ping 7.x devices from the 6.x devices, then the route exists already. If you can only ping one way then the problem is a firewall or access list of some kind- either on the hosts or in between the 2 subnets.
CipherUserAuthor Commented:
As requested, a simple network diagram has been attached.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Not to argue, but I have seen some very strange things with pinging.  For example, pinging through a device without nat from a private IP to  the public IP default gateway.  It isn't likely that it will happen, but I want to rule it all out, which is why I asked if NAT was being done.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Is the AP doing NAT?

What is the default gateway for the client device?
CipherUserAuthor Commented:
The AP is NATing - all private address spaces.  The WAN side is  The LAN side is  The default gateway of the PC client is
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
If the AP is natting you will only be able to ping the AP from the WAN side.  To ping clients, you would need either a 1-to-1 nat which the network most likely cannot support or to configure a routed network.

On the router that your clients are using as the default gateway, you would have to add a route similar to this:

IP route 192.168.7.x

Open in new window

where x is the IP of the AP.

This will only work in routed mode, not in "gateway" (routing + nat)
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Clarity: the router that your clients as their  default gateway will need the static route

The clients will go to your default gateway because it is in a different subnet.  That gateway then forwards the packet to the appropriate "router" (the AP) to handle that subnet.
CipherUserAuthor Commented:
Daniel - I tried the IP route statement on the switch earlier, but it didn't seem to work.  What do you mean by your last statement?  Are you referring to the AP or the switch?  Thanks!
CipherUserAuthor Commented:
Sorry - Posting at the same time.  What do you mean by "This will only work in routed mode, not in "gateway" (routing + nat)"?  Are you referring to the AP or the switch?
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Since the AP if performing NAT, the static route will not work.

To the subnet, your clients are being presented as your AP's IP address using port overloading.

A TCP connection is like this:

Source ______________________________ Destination ------------------------

In this example, you are connecting to port 80 from port 65454

Going through NAT, the "source" would be translated to port <random>.  Devices that perform NAT will normally drop connections to NAT'd devices behind them either for security or because of the NAT rule itself.

You have to make a choice.  Either stick with NAT and not be able to ping the devices behind the AP, or ditch NAT and setup a routed network.  You can't "have both" (*There are exceptions, but for consumer devices this is not normally the case)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
I was referring to the AP performing both routing and NAT
Agree with Daniel, and it was a good call oh his part to ask about NAT. The wireless devices can ping the 192.168.7 addresses because they are being translated on the way out to the AP's address on a random port. NAT keeps track of that, allowing the replies to go back to the ping source. But you can't ping the 192.168.6 hosts because the AP does not NAT traffic sourced from the outside. That's the way dynamic NAT works.
CipherUserAuthor Commented:
Daniel or Mike,

I have placed the Cisco Wireless AP in routed mode (no NAT), but I still have the issue with no connectivity between the 192.168.96.x and 192.168.97.x networks.

(See Diagram) The laptop (96.119) can ping both interfaces on the wireless AP because they are local to the AP. I cannot however ping the Desktop computer (97.2).  My assumption is that the route back to the 192.168.68.x network is missing.  

I can ping the WAN interface (97.15) on the AP from the Desktop (97.7), but cannot ping the LAN interface (96.1) or the laptop (96.119).  Again, I believe this to be because there is a missing route.

I have ANY to ANY rules for both inbound and outbound on the AP for this test.

Do I need to add a route so that the Desktop can find it's way back to the laptop? If so, where do I add the route and how?

Thank you for your continued help.  I awarded the points because Daniel was correct in that the NAT on the AP would prevent this from working, but I still have my original issue.  I can open a new question if you think that is the best course to take.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
On your switch, add
IP route x.x.96.0 x.x.97.15

Open in new window

Should be all you need.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.