You can do this by using ACL's and Source Groups separately (i.e. - don't use an ACL to map traffic into a Source Group). Ex:

VLAN10 = 10.10.10.0/24

Services: VLAN10-1, VLAN10-2

VLAN11 = 10.10.11.0/24

Services: VLAN11-1, VLAN11-2

!--Write some ACL's to block traffic

acl 10

clause 5 deny any 10.10.10.0 255.255.255.0 destination 10.10.11.0 255.255.255.0

clause 10 permit any any destination any

apply circuit-(VLAN10)

acl 11

clause 5 deny any 10.10.11.0 255.255.255.0 destination 10.10.10.0 255.255.255.0

clause 10 permit any any destination any

apply circuit-(VLAN11)

!--Create some src groups to NAT outbound traffic

group VLAN10

vip address x.x.x.x

add service VLAN10-1

add service VLAN10-2

active

group VLAN11

vip address y.y.y.y

add service VLAN11-1

add service VLAN11-2

active

~Zach