Hello everyone!

I have Cisco ASA5506-X (ver. 9.8(2)20, asdm 7.9(1)151) on my remote site. I want to setup VPN access with authentication from Active Directory. I want to use AD passwords for auth in ASDM and SSH (if it fails use LOCAL) also.

I already did it past on Cisco PIX515E and Cisco ASA5505 using this manual:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

But now I have trouble because it is first time when I use radius server (NPS) located on remote site (behind IPSec Site-to-SIte). When I try to execute test I receive Time out.

Log:

Built outbound UDP connection 2053719 for outside:192.168.111.246/1645 (192.168.111.246/1645) to identity:86.222.222.222/7272 (86.222.222.222/7272)

where 192.168.111.246 is IP of my NPS servers located on remote site behind IPSec.

86.222.222.222 is my public IP of ASA5506. 

I guess I need to make NAT exempt  between inside-bridge and outside interface as I did it for inside1 and inside2 interfaces in order to avoid natting into outside interface.

 nat (inside-bridge,outside) 7 source static inside-bridge-network inside-bridge-network destination static bs-office-networks bs-office-networks no-proxy-arp route-lookup

But I cannot do it:

P.S. If I make ping 192.168.111.246 from ASA with source inside-bridge then ping successful, but it fails from inside1 or 2 OR without source interface:

P.S.S: I understand that I can public my remote NPS server ports 1645-1646 to internet IP address on remote site and specify it address on ASA (with source as outside interface), but I don't want to do it (security considerations).