Is it possible to do this on an ASA? I can't understand how a router can do a better job with asymmetrical flow control than an ASA.

crypto map VPN 168 ipsec-isakmp
 description CUST-CareOne-LongRidge Site-to-Site
 set peer 108.170.125.242
 set ip access-group VPNCryptoMap168_in-ACL in
 set ip access-group VPNCryptoMap168_out-ACL out
 set transform-set AES256_SHA
 match address VPNCryptoMap168-ACL

ip access-list extended VPNCryptoMap168-ACL
 remark CUST-CareOne-LongRidge VPN Site-to-Site
 permit ip 10.61.0.0 0.0.255.255 172.18.61.0 0.0.0.255
ip access-list extended VPNCryptoMap168_in-ACL
 remark CUST-CareOne-LongRidge VPN Site-to-Site
 permit icmp any object-group CareOne_Somerset_restrict-og echo-reply
 permit udp any eq snmp host 10.61.23.101
 permit udp any host 10.61.23.101 eq tftp
 permit tcp any any established
 permit tcp any host 10.61.202.88 eq telnet www lpd 5357 5800 5900
ip access-list extended VPNCryptoMap168_out-ACL
 remark CUST-CareOne-LongRidge VPN Site-to-Site
 permit ip object-group CareOne_Somerset_restrict-og any