apparently it is easily possible if you deploy NAP using IPsec enforcement. I found a quote on the technet forum that makes perfect sense to me:
"Because the IPsec enforcement method uses certificates that can be given (or not given) to computers connecting to the network through any means, you can use IPsec even if (for example) clients connected through a VPN device that doesn't support NAP VPN enforcement. To set this up, you would configure the NAP client computers for IPsec enforcement similar to what is done in the IPsec step by step guide. If you want clients to have access to certificates when they are not connected to the VPN, you would have to supply some of the NAP infrastructure on the Internet, specifically the HRAs. You can also put everything on your intranet and check health only when clients connect through the VPN."
source: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/ab7a5a06-b258-4918-a4a4-e1c96f7a2e6d/
There are also a people who managed to get NAP with VPN enforcement working on a PIX so i guess it should be doable with an ASA as well.
PIX working with NAP VPN: http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/d20ddfef-3275-4903-893e-853049bc1925