Hw to control and block access to internet in a Cisco router 871?

[rsebascd]

Hello all,

I'm very new in Cisco technology and have a question that maybe result easy for you Cisco gurus!!
I have a couple of cisco routers (871) in different offices and I have set site to site VPN's in between them. Happens that I would like to block users (or maybe control) accessing to the Internet through this routers but I don't know which configuration I should set and which commands to use I also have an internal website in one of the Site's wich we are accessing throgh the VPN (we use an IP to access it) so I dont want to block this traffic.
My router setings are:


CISCO-KIE#sho run
Building configuration...

!
!
no ip bootp server
ip domain name KIE
ip name-server ***.***.***.***
ip name-server ***.***.***.***
!
multilink bundle-name authenticated
!
!

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address ***.***.***.***
crypto isakmp key ****** address ***.***.***.***
crypto isakmp key ****** address ***.***.***.***
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to***.***.***.***
set peer ***.***.***.***
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to***.***.***.***
set peer ***.***.***.***
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to***.***.***.***
set peer ***.***.***.***
set transform-set ESP-3DES-SHA
match address 103
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address ***.***.***.*** 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.28.0.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.28.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.28.0.0 0.0.0.255 172.28.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.28.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.28.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.28.0.0 0.0.0.255 172.28.1.0 0.0.0.255
access-list 101 permit ip 172.28.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.28.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.28.0.0 0.0.0.255 192.168.2.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!

CISCO-KIE#

Thank you for all the help you can give me

Sebastian

 

[burtsbees]

When I have time I'll look (not likely in the next week), but for now, you can try Security Lockdown or Security Assessment inside of SDM...GUI...e

http://wwwww

/