Customer doesn't want to use MARS. Any recommendations on decent syslog server?
I would place it behind the firewall's outside interface. But this all depends on your security policy and how your network is setup.
Another factor is your IPS device's throughput. Can it sustain the load from the internal LAN? If so you can also place it behind the PIX firewall. This will give you protectional for both internal an external threats.
I would setup the IPS in inline interface pair mode.
Have a look at this link:
Please rate if helpful.