ASA 5510: Access-List Task

Hi everyone.

I got a question regarding ASA 5510 Configuration.

I need to deny a group of hosts access to Fileshares (SMB).
I tried to block Ports 445 and 139 (TCP), but It didnt work.

The other task is a bit more hard I guess.
The same hostgroup needs to be allowed access to one specific site via 80/443 and all other access to internet sites must be denied.

I have no Idea how to solve that, so I hope you can help me

Harry,

you'll need to block the following ports/protocols in order to block SMB filesharing:

137/UDP
137/TCP
138/UDP
139/TCP
445/TCP

Let us know how it went.

Cheers,

It is on IOS 8.4(2).

object-group network MyHostGrp
network-object host 192.168.1.100
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103

object-group service DenySvcGrp
service-object tcp destination eq 137
service-object tcp destination eq 139
service-object tcp destination eq 445
service-object udp destination eq 137
service-object udp destination eq 138

object-group service PermitSvcGrp
service-object tcp destination eq 80
service-object tcp destination eq 443

access-list outside extended deny object-group <Services in question> <Host to deny services> <to any dest>


access-list outside extended permit object-group PermitSvcGrp object MyHostGrp any
access-list outside extended deny object-group MySvcGrp object MyHostGrp any
access-list outside extended deny ip object-group MyHostGrp any

access-group outside in interface outside

Did not have time to test it.
Need to sleep. I hope it works, let me know :pinch: