Hello Paul,

Yes, you can do it..

1. Create an access-list with  the source subnet/host along with ports you want to take care of.

2. Call that access-list in class-map

3. Call this class-map in policy-map and give the command ips promiscuous fail-open/fail-close.

4. Apply policy-map on particular interface.

ciscoasa(config)#access−list traffic_for_ips permit tcp host x.x.x.x any eq 22

ciscoasa(config)#class−map ips_class_map

ciscoasa(config−cmap)#match access−list traffic_for_ips

ciscoasa(config)#policy−map interface-policy

ciscoasa(config−pmap)#class ips_class_map

ciscoasa(config−pmap−c)#ips promiscuous fail−open

!−−− Two decisions need to be made.

!−−− First, does the AIP−SSM function

!−−− in inline or promiscuous mode?

!−−− Second, does the ASA fail−open or fail−closed?

ciscoasa(config)#service−policy interface_policy interface inside