Yes it's mostly possible. We run some of our ASA/AIP-SSM devices like this. The main motivation is the low cost of this bundle. You need to disable as much of the firewall functionality as possible (and some things it does you can't turn off, but they're minor).
If you were planning on making this an in-line sensor, there aren't too many drawbacks (additional ASA OS to babysit, upgrade, additional Ethernet interface for mgmt, etc). But if you wanted to use this as a promiscuous mode IDS you still need to run your traffic thru the box. There is no way to use the ASA with a span port or tap. As a result any outage of the ASA (reboot after you upgraded that OS) will result in a network outage. Reboot that IPS sensor, network outage. (unless you remove the IPS config from the ASA first = PITA).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...