ASA5520 - Restrict egress SMB Ports Traffic

yannick.lerolland · ‎06-18-2020

we would like to restrict SMB egress ports traffic:

TCP 445 - SMB over TCP port.

TCP 137 - SMB over TCP port (via NetBIOS).

UDP 137 - SMB over UDP port (via NetBIOS).

UDP 138 - SMB over UDP port (via NetBIOS).

TCP 139 - SMB over TCP port (via NetBIOS).

SMB V3 ports

I was thinking of creating object-groups and access lists as follows:

hostname (config)# object-group service badports-udp udp

hostname (config-service)# port-object eq 69

hostname (config-service)# port-object eq 135

hostname (config-service)# port-object range 137 139

hostname (config-service)# port-object range 161 162

hostname (config-service)# port-object eq 514

hostname (config)# object-group service badports-tcp tcp

hostname (config-service)# port-object eq 135

hostname (config-service)# port-object range 137 139

hostname (config-service)# port-object eq 445

hostname (config-service)# port-object range 6660 6669

access-list 100 extended deny object-group badports-udp any any

access-list 100 extended deny object-group badports-tcp any any

However, while testing this concept on the packet tracer before implementing using 5506-X ASA

I am receiving the following error:

ERROR: Invalid object-group type

Either I have a syntax problem or my concept is flawed and I need to find another way to block that traffic.

How would you resolve this?