Can anyone help regarding firewall rules for a VPN tunnel.

I have a single 2930 at one of our clients HQ's that connects to around 25 remote sites (with 2820) via IPSEC tunnels. All works well & I have no issues with connectivity.

I don't need to restrict access from HQ to the remote site; however I also don't want a LAN user at a remote site to be able to see the LAN at HQ. I'd like to restrict incoming traffic to whatever is required to maintain the VPN & some specific ports that are used to monitor the status of some security systems that we have on site. The firewall filters don't look overly user friendly. Any assistance appreciated.