Dear Sheraz Salim,

Thanks for your quick reply, i tried your example with error:

ASA(config)# object network RADIUS
ASA(config-network-object)# host 192.168.46.250
H9764-GST-ASA(config-network-object)# nat (G_STAFF_INSIDE,G_STAFF_OUTSIDE) static 192.168.53.235
ERROR: Address 192.168.53.235 overlaps with G_STAFF_OUTSIDE interface address.
ERROR: NAT Policy is not downloaded

192.168.53.235 - IP of ingress interface

even if i apply 192.168.53.240 (device that initiate connection i get same output from packet tracer:

ASA(config)# packet-tracer input G_STAFF_OUTSIDE udp 192.168.53.240 11111 192.168.53.235 1812

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.53.235 using egress ifc  identity

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: G_STAFF_OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop

Will be appreciate for your kind help,

Alex 

you outside ASA interface ip address is 192.168.53.235

and your private Radius server is 192.168.46.250

and you also barrow a spare ip address from your outside interface let say 192.168.53.10

ASA(config)# object network RADIUS
ASA(config-network-object)# host 192.168.46.250
H9764-GST-ASA(config-network-object)# nat (G_STAFF_INSIDE,G_STAFF_OUTSIDE) static 192.168.53.10

access-list OUTSIDE_IN extended permit udp any host 192.168.46.250 eq 1812

access-group OUTSIDE_IN in interface outside

!

packet-tracer input G_STAFF_OUTSIDE udp 8.8.8.8 11111 192.168.53.235 1812

or

packet-tracer input G_STAFF_OUTSIDE udp 192.168.53.7 1812 192.168.53.235 1812 detail

Dear Sheraz Salim,

Nope, i tried:

ASA(config)# object network RADIUS
ASA(config-network-object)# host 192.168.46.250
ASA(config-network-object)# nat (G_STAFF_INSIDE,G_STAFF_OUTSIDE) static 192.168.53.236

access-list OUTSIDE_IN extended permit udp any host 192.168.46.250 eq 1812

access-group OUTSIDE_IN in interface outside

and get same issue:

ASA# packet-tracer input G_STAFF_OUTSIDE udp 8.8.8.8 11111 192.168.53.235 1812

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.53.235 using egress ifc  identity

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: G_STAFF_OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-----------------------------------------------------------
ASA# packet-tracer input G_STAFF_OUTSIDE udp 192.168.53.240 1812 192.168.53.235 1812 detail

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff04c9202a0, priority=13, domain=capture, deny=false
        hits=386779, user_data=0x7ff04c403170, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=G_STAFF_OUTSIDE, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff04c92d260, priority=1, domain=permit, deny=false
        hits=26710, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=G_STAFF_OUTSIDE, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.53.235 using egress ifc  identity

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff04b8a6690, priority=0, domain=nat-per-session, deny=true
        hits=87414063, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff04c8c9530, priority=0, domain=permit, deny=true
        hits=52803, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=G_STAFF_OUTSIDE, output_ifc=any

Result:
input-interface: G_STAFF_OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Let me start from the beginning:

WIFI controller from network 192.168.53.0/24 with IP 192.168.53.240 should reach RADIUS in 192.168.46.0/24 with IP 192.168.46.250. But request to RADIUS must been from source IP 192.168.46.1 only.

ASA interface in .53.0 - 192.168.53.235

ASA interface in .46.0 - 192.168.46.1

BTW in your example i get error in Access-list phase.

Thank you,

Alex