I am looking at implementing an ASA system for multiple branches (17) in a client site.
I know that the ASA 5510 can have the AIP-SSM module installed, where the 5505 cannot. I want to be able to offer firewall, an IPSEC VPN back to the hub site and IPS in a promiscious mode. I believe the ASA 5510 w/ AIP-SSM can do this.
I would ideally place the ASA at the ingress point to the brach office to monitor traffic coming into the branch office and use RSPAN to forward all traffic from a sensitive VLAN mirrored to a capture port on the ASA. I'm assuming this can be done, but I would like to make sure.
So, in a nutshell, can the ASA act as a border firewall AND be used to perform IPS functionality on an RSPAN port, where the 4 switches (4 different closets) forward all traffic via the RSPAN port into the ASA AIP-SSM card?