F5 ASM Testing Environment Setup with legitimate traffic (Please Advise)

A clone pool would be a good idea, as it would send all of your production traffic to the secondary bigIP. Be aware that you can also configure the ASM in transparent mode and watch the production traffic itself. The ASM will flag all the traffic as if it was blocking, but won't actually block. The other things to keep an eye out for are Dataguard, and javascript injection. I have seen situations where a site's javascript won't play nice with the injections from the ASM, but it's rare. Pete is also correct in that you can simply configure a virtual server either on another IP or another port (may require some work with local traffic policies to keep to that port) and have a subset of users test the ASM that way.