IPS can be either inside or outside the firewall.
Inside usually makes more sense because then the firewall ACL will prevent most inbound traffic with less computational cost than first screening the raw internet incoming traffic (and scanning attempts etc.) with an IPS.
You could add the FirePOWER software modules to your ASA and license the IPS feature on it. That sits inline with the internal ASA traffic flow and inspects traffic redirected to it via Modular Policy Framework (MPF- service-policy, policy-map and class-map).