Help: ASA 5505, AP 1130AG, multiple SSID's and subnets

Hello all,

I have an ASA5505 between me and the internet (bridged off my ISP).  The outside interface gets the public IP from the ISP modem; all works great.

Off Ethernet0/6 on the ASA I have a Cisco Aironet 1130AG Access Point (power over ethernet).

My goal is to have two SSIDs, one as my main LAN subnet (zerone) and the other as a Guest 'net only (Zero G) that will only have access to the outside world, nothing on the inside.

It seems like I am almost there, but I'm missing something basic with Dot1q, trunking, or routing.

On my ASA I have Vlan8 as my "inside" with with a DHCPD scope enabled on inside.  I also have Vlan77 defined as my "guest-wlan" with with a DHCP scope enabled on guest-wlan.

On Ethernet0/6 (facing the AP), I have switchport trunk with allowed vlans 8,77 with 8 as the native.


This all seems like it should be working. I configured the AP as far as I know how and I can see both BSSID beacons. I am unable to connect to either. I am prompted for the WPA2 password, but time out after that.


Any ideas?


Attached are my Show Run of the ASA and AP.

Network is:  ISP_Modem <--> Eth0/0 ASA5505 Eth0/6 <--> Fe0 AP1130AG


Many thanks

HiCan you access your AP from


Can you access your AP from rest of your network  (ie from a subnet other than vlan 8) ? 

Also for a test, you can move a DHCP pool to your AP & see whether client gets connectivity.




Hi Rasika, thank you for

Hi Rasika, thank you for responding.

I can access the AP from my Desktop PC which is on Vlan8 ( I can access it via

The only other network I have locally is the guest-wlan Vlan77 (, which I have defined on the ASA as Vlan77 with IP I *cannot* ping this IP address from my Desktop PC (Vlan8).


As far as DHCP, while I can attempt this, would you agree that if I simply set a Static IP on my laptop's Wireless Interface, then joined the BSSID, this would provide the necessary results?

Right now I believe the problem is routing/tags.  Hopefully DHCP broadcasts will start working once the routing is working.


If you agree, I will attempt the Static method as described above.


Thanks again for the assistance

Hi,See this post and it may


See this post and it may help you to fix this vlan tagging or routing issue.




To add to my troubleshooting

To add to my troubleshooting:

I just created a capture on the ASA on the "guest-wlan" interface.  
I then created BVI77 on the AP with IP address
From the ASA, I then tried to Ping the new BVI out the guest-wlan interface.

It looks like the ASA is arp'ing for the address, but not getting any replies. I feel this is the right step, but now I'm stuck at the AP.  


asa# capture test interface guest-wlan
asa# ping guest-wlan
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)



asa# sh capture test

6 packets captured

   1: 10:57:48.885223       802.1Q vlan#77 P0 arp who-has tell
   2: 10:57:50.479070       802.1Q vlan#77 P0 arp who-has tell
   3: 10:57:51.479085       802.1Q vlan#77 P0 arp who-has tell
   4: 10:57:55.479131       802.1Q vlan#77 P0 arp who-has tell
   5: 10:57:58.529269       802.1Q vlan#77 P0 >  ip-proto-103, length 38
   6: 10:58:00.479177       802.1Q vlan#77 P0 arp who-has tell
6 packets shown

