The first design issue is that you are being asked to place an IPS sensor OUTSIDE the firewall?
Is anyone actually going to be looking into the events being generated (event analysis), if so placing your sensor outside the firewall is a terrible idea becuse you will be generating IPS events on traffic that very well may be blocked by the firewall behind it. This will waste the resources and bandwidth of the person(s) doing event analysis.
The second issue is Realibility. You have an HA pair of 5520s, that tells me someone thinks connectivity is important to invest in redundant firewalls. You are going to definitely lower the realibility of this design by placing a single device that will be updated frequently and even rebooted (software updates). An IPS sensor does not have the realibility of a switch.
The good news is that the IPS sensors are all Layer 2 devices and do not require any changes to your existing Layer 3 design.
You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.
The "best option" depends on cost and product support.
Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality
Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.
Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :