I am planning to use ASA 5520 as the hub for a hub / spoke VPN. With the spoke to spoke vpn confguration where all remote site vpns terminate on the same (outside) interface, will the AIP SSM IPS module be able to inspect traffic from one spoke that bounces off the ASA to a second spoke, or can it only inspect traffic that actually "passes through" the firewall?