I would like to deploy an ASA as a VPN termination point and utilise the AIP SSM module to inspect and provide protection for traffic arriving inbound on one VPN and exiting on another within the same ASA. I'm assuming this is possible as the traffic is in an unencrypted state within the ASA and should be intercepted by the class map. Has anyone done this or can anyone confirm that it will work?
I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).
So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.
As pkampana said, you're good to go.
If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.
I hope it helps.