ASA5506W-X - Borrowing Its Internal AP702i Possible?

The ultimate goal of this unusual configuration is to have multiple broadcast domains shared by wireless and wired devices whose IP addresses are served by an external DHCP server. This means that two or more broadcast domains (VLANs) defined in the internal AP of the ASA must get to the DHCP server as if they were defined on a regular switch. To achieve this, VLANs are created in the internal AP (702i), and a bunch of SSIDs are associated with them. The AP’s VLANs are then “bridged out” to separate ethernet ports of the ASA. The ASA’s ethernet ports are then connected to separate access ports of an external switch configured with the same VLAN IDs initially defined in the AP. On the external switch, wired devices are also connected to other access ports on the same VLANs. The DHCP server is then finally connected to a trunk port of the switch to serve the DHCPREQUESTs coming from all wireless and wired devices on the various VLANs.

Is this weird setup possible?

My ASA has a basic license, so I only have 5 “tagged” VLANs available (in addition to the untagged VLAN 1).

I want to use these 1+5 VLANs to “trunk” GE09 of the ASA and then bridge them out onto 6 separate ethernet ports of the ASA (here the VLAN IDs are lost).

Then, I want to connect those 6 ethernet ports of the ASA to 6 separate access ports of a switch “recreating” the same VLAN IDs on the switch.

So far, I’ve managed to get the 1+5 broadcast domains to the DHCP server, but I’m not sure about my configuration and need a better understanding of it.

Thank you.

Hello Matteo

Your setup is not common, but it is possible. You’ve described it well, and at first glance, it sounds like something that can be achieved. You’re essentially using the ASA as a bridge between the internal AP and the external switch, allowing the VLANs of each SSID to be carried from the AP through the ASA and onto the switch. From there, you have the DHCP server that serves each VLAN.

The key part of this setup is the configuration of the ASA so that the ethernet ports are correctly bridged to the VLAN associated with each SSID of the AP. This will allow the VLANs from the AP to be carried through the ASA and onto the switch.

I can’t be absolutely sure that the setup will work, simply because I haven’t tried it. Because of its uniqueness, I believe the only surefire way to know if this scenario will work is to try it out. The only potential issue I see is the limitation of your ASA license. With a basic license, you can only have 5 tagged VLANs (plus the untagged VLAN 1). Is there also any limitation of bridging from the AP to your wired interfaces? This is something you will have to discover practically. If you need more VLANs, or additional capabilities, you may need to upgrade your license.

You said that you’ve managed to get the broadcast domains to the DHCP server, but have you been able to successfully bridge the AP’s SSIDs to the appropriate VLANs to get your wireless clients on those same broadcast domains? If not, can you share where you are stuck so that we can help you further? I’d be interested to hear how you’re getting along, so let us know of your situation and your progress.

I hope this has been helpful!

Laz

Hi Laz,

Thanks for the reply!

Here is my configuration of the internal AP and the ASA (some commands are irrelevant to the goal of this project, so just skip them).

With this configuration, the TUX box can assign IPs per VLAN to both wired and wireless devices.

But I also have issues, such as routing loops (which I cured with SNAT on TUX’s net1 interface - I don’t like this solution much).

Anyway,

Let’s start from here.

Thank you!

#-------#
# NOTES #
#-------#

# "Cisco ASA 5506-X  Security Plus License"  (L-ASA5506-SEC-PL=)
# is  NOT  mandatory  for  this    configuration (vlan used = 5)
#
# (1+5)x  ASA  VLANs (1,10,12-15)  are used to bridge (1+5)x  AP
# VLANs (1,10,12-15) to 6x ASA separate  ethernet ports (p2-p7):
#
#               ASA
#            +-------+
#         AP | p8  o-|--- out       SW
#       +------------+           +-------+  \
#  BVI1 | 1  | p7  o-|--- mgt ---|-o  1  |  |
#       +------------+           +-------+  |
#  BVI3 | 12 | p6  o-|--- dev ---|-o  12 |  |
#       +------------+           +-------+  |
#  BVI4 | 13 | p5  o-|--- iot ---|-o  13 |  |
#       +------------+           +-------+  | ACCES  PORTS  WITH
#  BVI5 | 14 | p4  o-|--- aux ---|-o  14 |  | ASSOCIATED VLAN ID
#       +------------+           +-------+  |
#  BVI6 | 15 | p3  o-|--- van ---|-o  15 |  |
#       +------------+           +-------+  |
#  BVI2 | 10 | p2  o-|--- one ---|-o  10 |  |
#       +------------+           +-------+  |
#            | p1  o-|--- top ---|-o  11 |  |
#            +-------+           +-------+  /
#
# IMPORTANT: NO TRUNKS ARE USED TO CONNECT THE ASA TO THE SWITCH
#
#     ASA
#  +-------+
#  | p8  o-|--- out               SW
#  +-------+            +-------+--------------+
#  | p7  o-|--- mgt ----|-o  1  | 1,10,12-15 o-|---+
#  +-------+            +-------+--------------+   |
#  | p6  o-|--- dev ----|-o  12 |               +--+ inside
#  +-------+            +-------+     +-------+ | ------------
#  | p5  o-|--- iot ----|-o  13 |     |       v | net0 (TRUNK)
#  +-------+            +-------+  DHCP SRV  +-----+
#  | p4  o-|--- aux ----|-o  14 |    and     | TUX |
#  +-------+            +-------+ DEFAULT GW +-----+
#  | p3  o-|--- van ----|-o  15 |               | net1 (NAT/PAT)
#  +-------+            +-------+               | --------------
#  | p2  o-|--- one ----|-o  10 |               |    outside
#  +-------+            +-------+-----------+   |
#  | p1  o-|--- top ----|-o  11 |    11   o-|---+
#  +-------+            +-------+-----------+
#
# IMPORTANT: ASA DOES 'NAT/PAT' ON 'out' FOR 'top' NETWORK  ONLY
#            TUX DOES 'NAT/PAT' ON 'net1' TO AVOID ROUTING LOOPS

#---------------#
# CONFIGURATION #
#---------------#

! 'write erase' both AP and ASA before starting

Pre-configure Firewall now through interactive prompts [yes]? no

ciscoasa> enable

The enable password is not set.  Please set it now.
Enter  Password: **********
Repeat Password: **********
Note: Save your configuration so that the password persists across reboots
("write memory" or "copy running-config startup-config").

ciscoasa# write memory

ciscoasa# session wlan console

ap> enable

Password: <<=== enter 'Cisco'

ap# configure terminal
ap(config)# hostname AP
AP(config)# enable secret level 15 0 mypassinplaintext
AP(config)# do show running-config | include username

username Cisco password 7 096F471A1A0A

AP(config)# no username Cisco password 7 096F471A1A0A

This operation will remove all username related configurations with same name.Do you want to continue? [confirm]

AP(config)# dot11 vlan-name mgt vlan 1
AP(config)# dot11 vlan-name one vlan 10
AP(config)# dot11 vlan-name dev vlan 12
AP(config)# dot11 vlan-name iot vlan 13
AP(config)# dot11 vlan-name aux vlan 14
AP(config)# dot11 vlan-name van vlan 15

AP(config)# dot11 ssid MGT
AP(config-ssid)# vlan mgt
AP(config-ssid)# authentication open
AP(config-ssid)# authentication key-management wpa version 2
AP(config-ssid)# mbssid guest-mode
AP(config-ssid)# wpa-psk ascii 0 mywifipassinplaintext
AP(config-ssid)# exit

AP(config)# dot11 ssid ONE
AP(config-ssid)# vlan one
AP(config-ssid)# authentication open
AP(config-ssid)# authentication key-management wpa version 2
AP(config-ssid)# mbssid guest-mode
AP(config-ssid)# wpa-psk ascii 0 mywifipassinplaintext
AP(config-ssid)# exit

AP(config)# dot11 ssid DEV
AP(config-ssid)# vlan dev
AP(config-ssid)# authentication open
AP(config-ssid)# authentication key-management wpa version 2
AP(config-ssid)# mbssid guest-mode
AP(config-ssid)# wpa-psk ascii 0 mywifipassinplaintext
AP(config-ssid)# exit

AP(config)# dot11 ssid IOT
AP(config-ssid)# vlan iot
AP(config-ssid)# authentication open
AP(config-ssid)# authentication key-management wpa version 2
AP(config-ssid)# mbssid guest-mode
AP(config-ssid)# wpa-psk ascii 0 mywifipassinplaintext
AP(config-ssid)# exit

AP(config)# dot11 ssid AUX
AP(config-ssid)# vlan aux
AP(config-ssid)# authentication open
AP(config-ssid)# authentication key-management wpa version 2
AP(config-ssid)# mbssid guest-mode
AP(config-ssid)# wpa-psk ascii 0 mywifipassinplaintext
AP(config-ssid)# exit

AP(config)# dot11 ssid VAN
AP(config-ssid)# vlan van
AP(config-ssid)# authentication open
AP(config-ssid)# authentication key-management wpa version 2
AP(config-ssid)# mbssid guest-mode
AP(config-ssid)# wpa-psk ascii 0 mywifipassinplaintext
AP(config-ssid)# exit

AP(config)# bridge irb

AP(config)# interface Dot11Radio0
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# shutdown
AP(config-if)# encryption vlan mgt mode ciphers aes-ccm
AP(config-if)# encryption vlan dev mode ciphers aes-ccm
AP(config-if)# encryption vlan iot mode ciphers aes-ccm
AP(config-if)# ssid MGT
AP(config-if)# ssid DEV
AP(config-if)# ssid IOT
AP(config-if)# mbssid
AP(config-if)# station-role root
AP(config-if)# exit

AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 1
AP(config-subif)# exit

AP(config)# interface Dot11Radio0.10
AP(config-subif)# encapsulation dot1Q 10
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 2
AP(config-subif)# exit

AP(config)# interface Dot11Radio0.12
AP(config-subif)# encapsulation dot1Q 12
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 3
AP(config-subif)# exit

AP(config)# interface Dot11Radio0.13
AP(config-subif)# encapsulation dot1Q 13
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 4
AP(config-subif)# exit

AP(config)# interface Dot11Radio0.14
AP(config-subif)# encapsulation dot1Q 14
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 5
AP(config-subif)# exit

AP(config)# interface Dot11Radio0.15
AP(config-subif)# encapsulation dot1Q 15
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 6
AP(config-subif)# exit

AP(config)# interface Dot11Radio1
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# shutdown
AP(config-if)# encryption vlan one mode ciphers aes-ccm
AP(config-if)# ssid ONE
AP(config-if)# mbssid
AP(config-if)# station-role root
AP(config-if)# exit

AP(config)# interface Dot11Radio1.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 1
AP(config-subif)# exit

AP(config)# interface Dot11Radio1.10
AP(config-subif)# encapsulation dot1Q 10
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 2
AP(config-subif)# exit

AP(config)# interface Dot11Radio1.12
AP(config-subif)# encapsulation dot1Q 12
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 3
AP(config-subif)# exit

AP(config)# interface Dot11Radio1.13
AP(config-subif)# encapsulation dot1Q 13
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 4
AP(config-subif)# exit

AP(config)# interface Dot11Radio1.14
AP(config-subif)# encapsulation dot1Q 14
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 5
AP(config-subif)# exit

AP(config)# interface Dot11Radio1.15
AP(config-subif)# encapsulation dot1Q 15
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 6
AP(config-subif)# exit

AP(config)# interface GigabitEthernet0
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# exit

AP(config)# interface GigabitEthernet0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 1
AP(config-subif)# exit

AP(config)# interface GigabitEthernet0.10
AP(config-subif)# encapsulation dot1Q 10
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 2
AP(config-subif)# exit

AP(config)# interface GigabitEthernet0.12
AP(config-subif)# encapsulation dot1Q 12
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 3
AP(config-subif)# exit

AP(config)# interface GigabitEthernet0.13
AP(config-subif)# encapsulation dot1Q 13
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 4
AP(config-subif)# exit

AP(config)# interface GigabitEthernet0.14
AP(config-subif)# encapsulation dot1Q 14
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 5
AP(config-subif)# exit

AP(config)# interface GigabitEthernet0.15
AP(config-subif)# encapsulation dot1Q 15
AP(config-subif)# no ip route-cache
AP(config-subif)# bridge-group 6
AP(config-subif)# exit

AP(config)# do show running-config | include mac-address

mac-address 0042.5ad0.0d02

AP(config)# interface BVI1
AP(config-if)# mac-address 0042.5ad0.0d02
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# no ipv6 address dhcp
AP(config-if)# no ipv6 address autoconfig
AP(config-if)# no ipv6 enable
AP(config-if)# exit

AP(config)# interface BVI2
AP(config-if)# mac-address 0042.5ad0.0d03
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# exit

AP(config)# interface BVI3
AP(config-if)# mac-address 0042.5ad0.0d04
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# exit

AP(config)# interface BVI4
AP(config-if)# mac-address 0042.5ad0.0d05
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# exit

AP(config)# interface BVI5
AP(config-if)# mac-address 0042.5ad0.0d06
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# exit

AP(config)# interface BVI6
AP(config-if)# mac-address 0042.5ad0.0d07
AP(config-if)# no ip address
AP(config-if)# no ip route-cache
AP(config-if)# exit

AP(config)# bridge 1 route ip

AP(config)# line console 0
AP(config-line)# session-timeout 60
AP(config-line)# exit

&#35; we set both radio interfaces down till we're done configuring the ASA

AP(config)# interface Dot11Radio0
AP(config-if)# shutdown
AP(config-if)# exit

AP(config)# interface Dot11Radio1
AP(config-if)# shutdown
AP(config-if)# exit

AP(config)# end

AP# write memory

AP# reload

&#35; 'Ctrl\-b' to quit 'session wlan console'

ciscoasa# configure terminal

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: N

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname XASA

XASA(config)# banner login
XASA(config)# banner login *****************************
XASA(config)# banner login *** WELCOME TO ASA (XLAB) ***
XASA(config)# banner login *****************************
XASA(config)# banner login

XASA(config)# interface GigabitEthernet1/1
XASA(config-if)# nameif asatop
XASA(config-if)# security-level 100
XASA(config-if)# ip address 10.72.11.254 255.255.255.0
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/2
XASA(config-if)# bridge-group 2
XASA(config-if)# nameif asaone
XASA(config-if)# security-level 50
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/3
XASA(config-if)# bridge-group 6
XASA(config-if)# nameif asavan
XASA(config-if)# security-level 100
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/4
XASA(config-if)# bridge-group 5
XASA(config-if)# nameif asaaux
XASA(config-if)# security-level 100
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/5
XASA(config-if)# bridge-group 4
XASA(config-if)# nameif asaiot
XASA(config-if)# security-level 100
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/6
XASA(config-if)# bridge-group 3
XASA(config-if)# nameif asadev
XASA(config-if)# security-level 100
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/7
XASA(config-if)# bridge-group 1
XASA(config-if)# nameif asamgt
XASA(config-if)# security-level 100
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/8
XASA(config-if)# nameif asaout
XASA(config-if)# security-level 0
XASA(config-if)# ip address XXX.XXX.XXX.XXX 255.255.255.248
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface Management1/1
XASA(config-if)# management-only
XASA(config-if)# shutdown
XASA(config-if)# no nameif
XASA(config-if)# no security-level
XASA(config-if)# no ip address
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/9
XASA(config-if)# bridge-group 1
XASA(config-if)# nameif apmgt
XASA(config-if)# security-level 100
XASA(config-if)# no shutdown
XASA(config-if)# exit

XASA(config)# interface GigabitEthernet1/9.10
XASA(config-subif)# vlan 10
XASA(config-subif)# bridge-group 2
XASA(config-subif)# nameif apone
XASA(config-subif)# security-level 50
XASA(config-subif)# exit

XASA(config)# interface GigabitEthernet1/9.12
XASA(config-subif)# vlan 12
XASA(config-subif)# bridge-group 3
XASA(config-subif)# nameif apdev
XASA(config-subif)# security-level 100
XASA(config-subif)# exit

XASA(config)# interface GigabitEthernet1/9.13
XASA(config-subif)# vlan 13
XASA(config-subif)# bridge-group 4
XASA(config-subif)# nameif apiot
XASA(config-subif)# security-level 100
XASA(config-subif)# exit

XASA(config)# interface GigabitEthernet1/9.14
XASA(config-subif)# vlan 14
XASA(config-subif)# bridge-group 5
XASA(config-subif)# nameif apaux
XASA(config-subif)# security-level 100
XASA(config-subif)# exit

XASA(config)# interface GigabitEthernet1/9.15
XASA(config-subif)# vlan 15
XASA(config-subif)# bridge-group 6
XASA(config-subif)# nameif apvan
XASA(config-subif)# security-level 100
XASA(config-subif)# exit

XASA(config)# interface BVI1
XASA(config-if)# nameif mgt
XASA(config-if)# security-level 100
XASA(config-if)# ip address 10.72.1.254 255.255.255.0
XASA(config-if)# exit

XASA(config)# interface BVI2
XASA(config-if)# nameif one
XASA(config-if)# security-level 50
XASA(config-if)# ip address 10.72.10.254 255.255.255.0
XASA(config-if)# exit

XASA(config)# interface BVI3
XASA(config-if)# nameif dev
XASA(config-if)# security-level 100
XASA(config-if)# ip address 10.72.12.254 255.255.255.0
XASA(config-if)# exit

XASA(config)# interface BVI4
XASA(config-if)# nameif iot
XASA(config-if)# security-level 100
XASA(config-if)# ip address 10.72.13.254 255.255.255.0
XASA(config-if)# exit

XASA(config)# interface BVI5
XASA(config-if)# nameif aux
XASA(config-if)# security-level 100
XASA(config-if)# ip address 10.72.14.254 255.255.255.0
XASA(config-if)# exit

XASA(config)# interface BVI6
XASA(config-if)# nameif van
XASA(config-if)# security-level 100
XASA(config-if)# ip address 10.72.15.254 255.255.255.0
XASA(config-if)# exit

XASA(config)# route asaout 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX ! we need it here for the clock synchronization

XASA(config)# clock timezone CET 1 0
XASA(config)# clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 60
! time.google.com (216.239.35.0)
XASA(config)# ping 216.239.35.0
XASA(config)# ntp server 216.239.35.0 source asaout prefer

XASA(config)# show ntp status ! you might need to run it multiple times to see "synchronized"

Clock is synchronized, stratum 2, reference is 216.239.35.0
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is e96854ad.8de2edd9 (06:59:09.554 CET Sat Feb 3 2024)
clock offset is -0.0344 msec, root delay is 16.37 msec
root dispersion is 15.78 msec, peer dispersion is 15.66 msec

XASA(config)# domain-name labnet
XASA(config)# crypto key generate rsa modulus 4096
XASA(config)# aaa authorization exec LOCAL auto-enable
XASA(config)# dns domain-lookup asaout
XASA(config)# dns server-group DefaultDNS
XASA(config-dns-server-group)# name-server 8.8.4.4 8.8.8.8
XASA(config-dns-server-group)# exit

XASA(config)# same-security-traffic permit inter-interface

XASA(config)# object network MGT
XASA(config-network-object)# subnet 10.72.1.0 255.255.255.0
XASA(config-network-object)# exit

XASA(config)# object network ONE
XASA(config-network-object)# subnet 10.72.10.0 255.255.255.0
XASA(config-network-object)# exit

XASA(config)# object network TOP
XASA(config-network-object)# subnet 10.72.11.0 255.255.255.0
XASA(config-network-object)# exit

XASA(config)# object network DEV
XASA(config-network-object)# subnet 10.72.12.0 255.255.255.0
XASA(config-network-object)# exit

XASA(config)# object network IOT
XASA(config-network-object)# subnet 10.72.13.0 255.255.255.0
XASA(config-network-object)# exit

XASA(config)# object network AUX
XASA(config-network-object)# subnet 10.72.14.0 255.255.255.0
XASA(config-network-object)# exit

XASA(config)# object network VAN
XASA(config-network-object)# subnet 10.72.15.0 255.255.255.0
XASA(config-network-object)# exit

#XASA(config)# object network LAB
#XASA(config-network-object)# subnet 10.72.21.0 255.255.255.0
#XASA(config-network-object)# exit

XASA(config)# object network XLAB-SSH
XASA(config-network-object)# host 10.72.11.1
XASA(config-network-object)# exit

XASA(config)# object network XLAB-CAM
XASA(config-network-object)# host 10.72.11.1
XASA(config-network-object)# exit

XASA(config)# object network XSRV1-SSH
XASA(config-network-object)# host 10.72.11.101
XASA(config-network-object)# exit

XASA(config)# object network XLASS-SSH
XASA(config-network-object)# host 10.72.10.100
XASA(config-network-object)# exit

XASA(config)# access-list INBOUND extended permit tcp any object XLAB-SSH eq ssh
XASA(config)# access-list INBOUND extended permit tcp any object XSRV1-SSH eq ssh
XASA(config)# access-list INBOUND extended permit tcp any object XLASS-SSH eq ssh
XASA(config)# access-list INBOUND extended permit tcp any object XLAB-CAM eq 8081
XASA(config)# access-list INBOUND extended permit icmp any any echo-reply

XASA(config)# object network ONE
XASA(config-network-object)# nat (asaone,asaout) dynamic interface
XASA(config-network-object)# exit

XASA(config)# object network TOP
XASA(config-network-object)# nat (asatop,asaout) dynamic interface
XASA(config-network-object)# exit

XASA(config)# object network XLAB-SSH
XASA(config-network-object)# nat (asatop,asaout) static interface service tcp ssh 2022
XASA(config-network-object)# exit

XASA(config)# object network XSRV1-SSH
XASA(config-network-object)# nat (asatop,asaout) static interface service tcp ssh 2023
XASA(config-network-object)# exit

XASA(config)# object network XLASS-SSH
XASA(config-network-object)# nat (asaone,asaout) static interface service tcp ssh 2021
XASA(config-network-object)# exit

XASA(config)# object network XLAB-CAM
XASA(config-network-object)# nat (asatop,asaout) static interface service tcp 8081 8081
XASA(config-network-object)# exit

XASA(config)# access-group INBOUND in interface asaout

XASA(config)# user-identity default-domain LOCAL
XASA(config)# aaa authorization exec LOCAL auto-enable

XASA(config)# telnet timeout 5
XASA(config)# ssh version 2
XASA(config)# ssh timeout 60
XASA(config)# console timeout 60

XASA(config)# dhcpd address 10.72.10.131-10.72.10.150 one
XASA(config)# dhcpd enable one

XASA(config)# !call-home reporting anonymous

XASA(config)# end

XASA# write memory

XASA# reload

XASA> enable

Password: **********

XASA# session wlan console

AP> enable

Password:

AP# configure terminal

AP(config)# interface Dot11Radio0
AP(config-if)# no shutdown
AP(config-if)# exit

AP(config)# interface Dot11Radio1
AP(config-if)# no shutdown
AP(config-if)# exit

AP(config-if)# end

AP# write memory

AP# exit

Hello Matteo

Thanks for the details that you provided. Can you further clarify what state your topology is in? In other words, are hosts on the wired and wireless portions of your networks able to communicate with each other at Layer 2? Are hosts on different VLANs able to communicate with each other via routing? Is the rest of your topology working as expected? Where does routing take place, on the ASA? What kind of routing loops are there and where are you experiencing them? I am unable to decipher your topology diagram, especially in the area where you have the TUX, the DHCP SRV and the DEFAULT GW. It’s also not clear via what device you connect to the Internet.
Can you tell us more about the TUX device and what it is?

In order for us to help you more efficiently, beyond the configuration itself, tell us a little more about these things, and give us the specific problem you are facing, so we can help troubleshoot in a more focused manner.

I hope this has been helpful!

Laz