Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2102
Views
0
Helpful
2
Replies

ASA 5506 Policing SMB Traffic

rschember1
Level 1
Level 1

‎10-26-2017 07:10 AM - edited ‎02-21-2020 06:35 AM

I need to be able to police SMB traffic from a Windows 2016 server (10.10.1.11) to a specific Windows 10 PC (10.10.20.12) and I just can't get it working. 

 

Interestingly, if I use FTP, the policing DOES work. If I use Windows Explorer, it bypasses the policing and it's allowed to use all of the available bandwidth, saturating the network. I used NetMon to check the ports, and it's using TCP/139. Even specifically adding TCP/139 to the object group does not work.

 

What am I missing? Is the ASA incapable of policing SMB traffic?

 

object-group protocol IP_TCP_UDP
 protocol-object ip
 protocol-object tcp
 protocol-object udp

access-list Server_Win10 extended permit object-group IP_TCP_UDP host 10.10.1.11 host 10.10.20.12 

class-map Server_Win10
 match access-list Server_Win10

policy-map inside_policy
 class Server_Win10
  police input 1500000 1500
  police output 1500000 1500

service-policy inside_policy interface inside_1
service-policy inside_policy interface inside_2
Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎10-27-2017 04:39 AM

Hello @rschember1

 Try add port 445 as well.  Also, this port can be used: 137 (UDP)  138 (UDP)

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

rschember1
Level 1
Level 1
In response to Flavio Miranda

‎10-27-2017 11:13 AM

 No, it still doesn't work. It's totally bizarre. It seems to work for everything except copying files from Windows Explorer between windows. Then it bypasses the bandwidth policing and saturates the network.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card