Hi Paul,
By default, ASM cannot do anything for access control based on client IP address/subnet. You could use an iRule to perform basic HTTP auth. Or you could use the Access Policy Module (APM) to do this.
Here's an elegant example from George Watkins for doing basic auth in an iRule:
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086387/categoryId/16/HTTP-Basic-Access-Authentication-iRule-Style.aspx
You could modify this to apply the auth requirements for anyone not in a given set of IP addresses/subnets as defined in a address type datagroup.
Aaron