The requirement is to design a two layered defense architecture.
The first logical layer shall include
a) Cisco ASA with CSC-SSM first and then
b) Cisco ASA with AIP-SSM
(No server farms placed between CSC-SSM and AIP-SSM)
The second layer shall include
a) FWSM in CAT6500
My query is that since all the necessary access-lists/NAT will be configured within Cisco ASA CSC-SSM (internet edge), should the access-list in the ASA AIP-SSM be 'permit ip any any' and then divert all traffic to AIP-SSM. Or should there be any additional firewall configuration in ASA with AIP-SSM.