I want to define four wireless VLANs (e.g. vlan 1, vlan 20, vlan 21 and vlan 22) using the CLI (session wlan console) of the autonomous AP (702i) inside my ASA5506W and try to bring them "outside" to an external switch that is connected to the ASA. In other words, is it possible (using the command line interface of the AP and the ASA) to bring the same four wireless VLANs (1, 20, 21 and 22) to an external switch, so that, for instance, wired devices connected to (vlan 20) access ports of the switch and wireless devices connected to e.g. VLAN20 ssid of the ASA can share the same broadcast domain?

Thank you.

Ultimately, in my scenario, I need four broadcast domains where the DHCP requests coming from both wired and wireless devices will be handled by an external DHCP server. Moreover, the ASA does not even need to do NAT since the gateway sent to the DHCP clients is also a separate Linux machine. Simply put, I just want to use the AP hardware of the ASA for my wireless devices and get its (wireless) VLANs to an external switch that is connected to the ASA.

Well, I have found a solution to this particular configuration, which I would call:

How to borrow the AP702i from your ASA5506W-X

where GE1/8 is the trunk port (vlan 1 untagged, vlan 12 and 13 tagged) of the ASA (connected to a corresponding trunk port of a netgear switch) that is "bringing" three different broadcast domains (instead of four due to my basic license limitations: max vlans is 5) to my external Linux DHCP server (and default gateway).

With this configuration, all my wired and wireless devices are getting their IP and default gateway assigned by the external DHCP server (the ASA is literally doing nothing but "bridging out" the broadcast domains (VLANs) defined in the internal AP).

If anyone has a better way to doing this, please leave a comment, thank you.

### ASA CONF (relevant part only) ###

interface GigabitEthernet1/8
bridge-group 1
nameif asamgt
security-level 100
!
interface GigabitEthernet1/8.12
vlan 12
bridge-group 2
nameif asadev
security-level 100
!
interface GigabitEthernet1/8.13
vlan 13
bridge-group 3
nameif asaiot
security-level 100
!
interface GigabitEthernet1/9
bridge-group 1
nameif apmgt
security-level 100
!
interface GigabitEthernet1/9.22
vlan 22
bridge-group 2
nameif apdev
security-level 100
!
interface GigabitEthernet1/9.23
vlan 23
bridge-group 3
nameif apiot
security-level 100
!
interface BVI1
nameif mgt
security-level 100
ip address 10.72.1.241 255.255.255.0
!
interface BVI2
nameif dev
security-level 100
ip address 10.72.12.241 255.255.255.0
!
interface BVI3
nameif iot
security-level 100
ip address 10.72.13.241 255.255.255.0
!
same-security-traffic permit inter-interface

### AP CONFIG ###

dot11 vlan-name vlan1 vlan 1
dot11 vlan-name vlan22 vlan 22
dot11 vlan-name vlan23 vlan 23
!
dot11 ssid DEV
vlan 22
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 0 pass1
!
dot11 ssid IOT
vlan 23
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 0 pass2
!
dot11 ssid MGT
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 0 pass3
!

interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers aes-ccm
ssid MGT
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 22 mode ciphers aes-ccm
encryption vlan 23 mode ciphers aes-ccm
ssid DEV
ssid IOT
mbssid
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

interface Dot11Radio1.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1.23
encapsulation dot1Q 23
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.23
encapsulation dot1Q 23
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
!
interface BVI1
mac-address 0042.5ad0.0d8a
no ip address
no ip route-cache
!

interface BVI2
mac-address 0042.5ad0.0d8a
no ip address
no ip route-cache
!
interface BVI3
mac-address 0042.5ad0.0d8a
no ip address
no ip route-cache
!

bridge irb

bridge 1 route ip