Right, that is the normal configuration. In 8.x and maybe 7.x there is a command 'vpn-filter' which can be set per group-policy and reference an ACL. That ACL will be imposed on inbound traffic and outbound traffic.
Alternately you have to disable the 'sysopt connection permit-ipsec' (or 'permit-vpn' for 8.x), and then create an ACL that you apply to your outside interface to allow IPSec traffic connections, but filter access to internal systems.
Using the vpn-filter command is MUCH easier though.