10-24-2020 09:39 AM
There's no reason why this wouldn't work; you can absolutely have Layer3 interfaces running alongside your Virtual Wire without any issues. The nice part of this is you actually don't even have to worry about routing changes or anything bringing down the virtual wire when you're working to bring in the Layer3 interfaces, because it's just a simple virtual wire configuration. You could then also configure a GlobalProtect Portal and Gateway without issue through the Layer3 interface.
I'd follow your current plan and just get everything working to start off with, and move to slowly just get rid of the ASA and dropping the virtual wire configuration all together. The ASA isn't doing anything the PA-3220 isn't capable of doing, so unless something is broken off at the ASA level I don't see any reason to keep it or add an additional pair of PANs. Just use the PA-3220s that you already have to their full potential and you could drop the ASA all-together without having to add any additional hardware.
