Hi I am hoping someone can help. I have inherited the Cisco infrastructure for a number of our customers. I have had to replace a Cisco 877W with a new 887W. It is a multiple SSID setup with2 Vlans. 

Vlan 1 - Management

Vlan 2 - Guest.

Now everything is working fine on Vlan1 full internet access the works. 

Vlan 2 however even though it gets the correct DHCP address there is no internet access when connected. I assume it is something to do with the access lists but I am stumped. Below is the current config.

Router:

boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login *** local
aaa authorization exec ***** local
aaa authorization network **** local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-3147642240
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3147642240
revocation-check none
rsakeypair TP-self-signed-3147642240
!
!
crypto pki certificate chain TP-self-signed-3147642240
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313437 36343232 3430301E 170D3135 31323239 31383535
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31343736
34323234 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C62C 5D5A2A29 FB977A8C 784604A3 B36E95E3 41484DCE C4A8A67A 46C7021B
3EDE710B 4B76EC6E 56B2967D EE4098B8 B17A64B4 5D9DCE33 46EB25EF AB49E0DE
FE21CD1E 44325636 3F87E048 C2686F6A B6C57A79 A80D64B0 870CBCD7 F98E7288
215704E8 8EAFEECF 6EB5CF0F 676B271B 7B68B7D4 7C7D4744 CD92578A EF515EBB
F2970203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14D1BF9C 91D30245 CFA08613 0BDBA4BE 5BB4C6F5 F7301D06
03551D0E 04160414 D1BF9C91 D30245CF A086130B DBA4BE5B B4C6F5F7 300D0609
2A864886 F70D0101 05050003 8181005D EAFBD2B6 6FCF9B19 CA865C1B 3CBFAB58
4393F028 B08064E2 D2F3C38A D0E4F737 8A050F2F C8982A1F 80F2757B 70B257BA
D151C69C FB2E6BE2 4CBB3FD3 7B38370E 1FC89BBA DCCEDEF3 8606CB0A FFB93000
A4BAB7E6 5AA545C2 BF3055A8 7947479D F7641801 A1B03B29 CD0E54C3 5784B2A0
890AC580 BE6106FC 14FC947D 708D1F
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.152.1
ip dhcp excluded-address 193.168.152.1
ip dhcp excluded-address 192.168.152.254
ip dhcp excluded-address 192.168.152.253
ip dhcp excluded-address 193.168.152.253
ip dhcp excluded-address 192.198.152.250
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool VLAN2
network 193.168.152.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 193.168.152.254
lease 0 4
!
ip dhcp pool VLAN1
network 192.168.152.0 255.255.255.0
dns-server 194.72.9.34 194.72.9.38
default-router 192.168.152.254
lease 0 4
!
!
!
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-W-E-K9 sn FCZ1953C0DX
!
!

!
!
!
!
!
controller VDSL 0
!
!
!
VPN Removed
!
bridge irb
!
!
!
!
!
interface ATM0
description ** Physical Interface to Broadband **
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 0 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description ** Trunk port to Wireless Bridge **
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip route-cache
!
interface Vlan1
description ** Management Vlan **
ip address 192.168.152.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description ** FreeWifi Vlan **
ip address 193.168.152.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
bridge-group 2
!
interface Dialer1
description ** Outside Interface Connected to BT **
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname Removed
ppp chap password 0 Removed
no cdp enable
crypto map vpns
!
interface BVI1
no ip address
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map MarkGrays interface Dialer1 overload
ip nat inside source static tcp 192.168.152.250 80 81.136.232.38 80 route-map MarkGrays extendable
ip nat inside source static tcp 192.168.152.250 8080 81.136.232.38 8080 route-map MarkGrays extendable
ip nat inside source static tcp 192.168.152.250 30001 81.136.232.38 30001 route-map MarkGrays extendable
ip nat inside source static tcp 192.168.152.250 32000 81.136.232.38 32000 route-map MarkGrays extendable
ip nat inside source static tcp 192.168.152.250 33000 81.136.232.38 33000 route-map MarkGrays extendable
ip nat inside source static tcp 192.168.152.250 36000 81.136.232.38 36000 route-map MarkGrays extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
route-map MarkGrays permit 1
match ip address 120
!
access-list 101 remark ** Inbound Firewall **
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit tcp 81.137.23.32 0.0.0.7 any eq 22
access-list 101 permit tcp 81.138.235.184 0.0.0.7 any eq 22
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 30001
access-list 101 permit tcp any any eq 32000
access-list 101 permit tcp any any eq 33000
access-list 101 permit tcp any any eq 36000
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 8080
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark ** Static vpn connection to Essystems **
access-list 102 permit ip 192.168.152.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 permit ip 192.168.152.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 102 permit ip 192.168.152.0 0.0.0.255 10.2.10.0 0.0.0.3
access-list 103 remark ** Restricted access **
access-list 103 permit icmp any any echo-reply
access-list 103 permit tcp any 192.168.152.0 0.0.0.255 established
access-list 103 deny icmp any 192.168.152.0 0.0.0.255
access-list 103 deny ip any 192.168.152.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 remark ** VTY Access **
access-list 104 permit ip 172.16.1.0 0.0.0.255 any
access-list 104 permit ip 172.16.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.152.0 0.0.0.255 any
access-list 104 permit ip 81.137.23.0 0.0.0.7 any
access-list 104 deny ip any any
access-list 120 remark ** NAT Translations **
access-list 120 deny ip host 81.136.232.38 81.137.23.32 0.0.0.7
access-list 120 deny ip 192.168.152.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 120 deny ip 192.168.152.0 0.0.0.255 10.2.10.0 0.0.0.3
access-list 120 permit ip any any
access-list 120 deny ip 192.168.152.0 0.0.0.255 172.16.2.0 0.0.0.255
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
^C
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 104 in
privilege level 15
login authentication ***
transport input all
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
sntp server 64.113.32.5
sntp broadcast client
!
end

AP

ap#sho run
Building configuration...

Current configuration : 2659 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
logging rate-limit console 9
enable secret 5 $1$hxDJ$VScjTtGZchcGQ5qW0Qm.r1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
no ip source-route
!
!
dot11 syslog
dot11 vlan-name FreeWifi vlan 2
dot11 vlan-name Management vlan 1
!
dot11 ssid FreeWifi
vlan 2
authentication open
guest-mode
mbssid guest-mode
!
dot11 ssid MarkGrays
vlan 1
authentication open
infrastructure-ssid
!
!
!
username essystems privilege 15 secret 5 $1$GuoE$/5WB3xn.9XEyEvoh74JZ/0
!
!
bridge irb
!
!
interface Loopback0
ip address 192.168.152.100 255.255.255.0
no ip route-cache
!
interface Loopback1
ip address 193.168.152.100 255.255.255.0
no ip route-cache
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 0 AFE47920DDF491787AAD733D08 transmit-key
encryption mode ciphers wep128
!
ssid FreeWifi
!
ssid MarkGrays
!
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface BVI1
ip address 192.168.152.250 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.152.254
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
privilege level 15
no activation-character
line vty 0 4
!
cns dhcp
end

Please help!