I realize there are a number of threads with this topic already, but I don't see that they answer the question of how to specify that the ASA inspect traffic and also send such traffic to the SSM. If you try to add an 'ips' command to the inspectio_default class you get the following error messafe:
SSI-STL-B1-DC-ASA-01(config-pmap-c)# ips prom fail-open
ERROR: Only 'inspect' action is allowed for the class with 'match default-inspection-traffic'. You also get an error if you try to add more than one inpect command to a class that does not have match default-inspection-traffic.
If you add another class after that, with a 'match any' or permit any any ACL, it will be accepted, and some traffic is passed to the IPS, but not the inspected trafrfic, if I understand policy map matching correctly. If the order of the classes were reversed, all traffic would be sent to the IPS, but then nothing would be inspected.
The essence of the problem seems to be that a policy map matches exactly one class, and you can;t mix inspect and ips statements in one class.
I might be able to do a match-any class, and then include both a match default-inspection-traffic and an 'ip permit any any' staement, but then I think the ASA would inspect all traffic, which I'm sure would have a performance impact.
Maybe this by design. Clarification would be appreciated. Thanks