I have already that,

in the inside, I have all the needed vlans (1 for Aps management and 1 for Wireless clients and 1 for DHCP server), in the other side (DMZ) I have only 1 vlan which is the management vlan of the WLC

I tried even to use the local DHCP of the WLC, no luck

this is Flex or Local ?

Tried both, now in Flex mode

FOR FLEX MODE
AP-SW-ASA
AP-Trunk-SW must include both native VLAN for AP management and connect to WLC and VLAN of Client.
SW-ASA
config the ASA sub interface for VLAN of AP management and VLAN of Client.
DHCP-SW-ASA
config the ASA sub interface for DHCP 

IF THE SECURITY LEVEL FOR ALL THESE SUB-INTERFACE IS SAME THEN YOU NEED 
same-security-traffic permit inter-interface

Sorry, im a bit confused here,

Hi flavio,

I got your point partially,

I'm using trunk between the fw and the sw to which is connected the wlc, in that interface theirs only 1 vlan created which is the vlan in the dmz zone dedicated for wifi, in the other side of the fw there's an inside zone, in which there's all the SVIs of the LAN vlans, including ap management vlan and wifi vlan ( used only for internet), what shoudl i do in the wlc side do mobile users can get ip adresses and connect to their ssid?, in standard architectures in which yhe wlc is not behind a fw, i create for each vlan a wlan interface that is reacheable for the core switch, and put on each of it a dhcp information so users can get ips depending on the ssid selected, in the actual scenario i can't create an interface in the wlc simply because i can't have the same vlan in the inside zone and behind the fw.. i can make a drawing to make it clearer

You can put a topology here to make it easier. Firstly, I though the WLC was connected to the firewall.   But, I think I got the point and I believe what you are try to achieve is not possible.

If you want to segregate the WLC in a DMZ, what you can do is to add a second WLC and work with Anchor and Foreign WLC.

WLC is a Layer 2 device, so, if you want to segment traffic, you need vlans and trunk.

Wich Mobility Anchor, you achieve what you intend, but you need to have a second device.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/WirelessNetwork_GuestAccessService.html 

Hi flavio, attached a topology of the actual config, i'll check the shared link, but we have only 2 WLCs for redundancy

Thank you 

Alright.

 Then you just need to create a trunk between WLC and Switch. As you already have trunk between switch and Firewall.  You also need trunk between Firewall and the second switch.

After that, you need to create the interfaces vlan on the WLC and put on it ip address, mask, gateway (which will be the interface vlan on Firewall) and DHCP server.

On the firewall you also create interface vlan, put the IP address, just like you did on the WLC.  The firewall will send the DHCP request to the DHCP. If DHCP server is direct connected, OK. But if not, you need ip helper address.

Thats it.

O edited your topoloy, take a look

My mistake in the diagram, you're right, it's already the case in the configuration in the WLC and switch (I have vlan 100 in the DMZ zone as you mentioned and its GW in the firewall), I have a question though, the vlan 100 is for management, when creating a WLAN should I map it to the same interface (management) or create its own interface, if it's its own interface, what subnet should I use, definitlt not the one of vlan 200 because it's in the inside

my second question, I will trunk the port between WLC and sw, but what else will go through that link ? for now I have only 1 subnet created in the WLc which is the management subnet for AP provisioning

Thank you

Right.

Forget about the mgmt interface. Its done and working as it should.

"my second question, I will trunk the port between WLC and sw, but what else will go through that link ? for now I have only 1 subnet created in the WLc which is the management subnet for AP provisioning"

On this trunk will pass the mgmt vlan and all other vlans you create on the WLC for clientes.  Let´s say you have three SSID:

Corp-PC - vlan 300

Corp-Phone - vlan 400

Guest - vlan 500

On the WLC, you need to create all this three vlans and associate it one with its respective SSIDs.

When a user connect ont eh Corp-PC, its traffic will get to the WLC through the capwap tunnel stablished between the WLC and AP through vlan mgmt.  Then, the WLC will send the client traffic through the vlan 300 towards the Firewall.

The firewall also need to have that vlan, after all, it is the gateway.

Got it?