Another solution can be using vpn-filter:
access-list filter permit tcp 10.254.254.0 255.255.255.0 host 192.168.100.2 eq 80
access-list filter deny tcp 10.254.254.0 255.255.255.0 host 192.168.100.2
access-list filter permit ip any any
Assuming that u r using DfltGrpPolicy as the group-policy for remote-access:
group-policy DfltGrpPolicy attributes
vpn-filter filter
The advantage of using vpn-filter is that it will not even allow denied traffic to go to local network. Whereas, in the other method, only the reply from the local-network is denied. The local network will still be getting requests which is meant to be denied.