To allow only certain VPN peer to be able to establish S-2-S VPN to your firewall create ACL to FW control-plane - simply allow ESP and ISAKMP and block everything else:
VPN ACL:
Modify this via SSH> enable/conf t:
Enable any IP to establish VPN:
no access-group VPN_CONTROL in interface outside control-plane
Restrict access for <SOURCE_IP> only: access-group VPN_CONTROL in interface outside control-plane
EXAMPLE
access-list VPN_CONTROL
access-list VPN_CONTROL line 1 extended permit esp host <SOURCE_IP> host <YOUR_FW_IP>
access-list VPN_CONTROL line 2 extended deny esp any any
access-list VPN_CONTROL line 3 extended permit udp host <SOURCE_IP> host <YOUR_FW_IP>
access-list VPN_CONTROL line 4 extended deny udp any any eq isakmp
