The standard ACL created by the sensor will contain:

permit line for the sensor address (or the sensor's nat'd address)

deny lines for each block

permit ip any any

If pre and/or post block acls are being used then the ACL will contain:

permit line for the sensor address (or the sensor's nat'd address)

contents of the pre block acl if configured

deny lines for each block

contents of the post block acl (or a permit ip any any if no post shun was configured)

That initial permit line for the sensor address is necessary when the sensor is connecting to the same interface of the router that the sensor is controlling. Without it the sensor could wind up blocking itself, and no longer be able to change acls on the router.

In most cases, however, the sensor is telneting to the router on the router's internal interface, but is applying acls to the routers external interface (serial0 in your environment). In these situations you can keep the sensor from putting in that first permit line for the sensor's address. In the configuration tool there should be a configuration entry to allow the sensor to block it's own ip address. The actual token in managed.conf is called AllowSensorShun. If you enable or check this configuration then the sensor will not put in the initial permit line.

If you also don't want the default "permit ip any any" that gets placed at the bottom of the acl, you simply need to designate a post block acl for the sensor to use instead.

SO in answer to your question: You can keep using serial0 as the blocking interface. You just need to configure the sensor to allow the sensor to block it's own ip address, and configure a post block acl for what you want at the bottom of the acl.