We have a dept that is no longer on our network for most things, but
they do need access to a couple of resources. I'm trying to ACL them
off from everything but what they need, but I'm having some issues with

Setup is like this:

Our server network:
T-1 network betw us & this dept:
Our WAN side is
Their WAN side is
Their network:

ACLs I want to use:

ip access-list extended FD_to_CRT
permit ip any host
permit ip any host
permit ip any host
deny ip any any
ip access-list extended CRT_to_FD
permit ip host any
permit ip host any
permit ip host any
deny ip any any

I have my router broken into subinterfaces for our different vlans.

My question is, do I need to put the FD_to_CRT ACL on the subinterface
that's connected to my server vlan and the CRT_to_FD ACL on the wan T-1
interface that's connected to their router?

I've tried putting both acls on the WAN interface, but then they are
not able to connect to anything.