05-26-2021 06:31 PM
We actually have an office setup like this because they were using the ASA for VPN for a bit. Essentially how it was configured was how @Remo already mentioned; the ASA was a standalone layer3 connection that didn't perform NAT on the AnyConnect addresses and just routed them to the layer3 interface with an 'AnyConnect' zone on the firewall. Then the firewall simply has static routes telling it to route traffic for the AnyConnect IP pools back to the ASA.
This configuration essentially allowed us to "ignore" the ASA and treat it as a termination point. All security policies were handled by the PAN firewall and the ASA was essentially just a dumb VPN concentrator for AnyConnect purposes.
