Hello,

our company security was complaining about those open ports (139,445) so I tried to remove them from our standard split tunnel access-list, but nmap still finds them open:

--
Starting Nmap 7.60 ( https://nmap.org ) at 2020-09-17 14:15 CEST
Nmap scan report for XXXXXXX.xxxxx.lan (192.168.188.31)
Host is up (0.0016s latency).
Not shown: 98 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: C4:65:16:82:XX:XX (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

--

access-list LOCAL_LAN_SPLIT_FW_PUB remark Client Local LAN Access PUB Network FW Rules

access-list LOCAL_LAN_SPLIT_FW_PUB extended deny ip any any
access-list LOCAL_LAN_SPLIT_FW_PUB extended permit icmp any any
access-list LOCAL_LAN_SPLIT_FW_PUB extended permit tcp any any eq lpd
access-list LOCAL_LAN_SPLIT_FW_PUB extended permit tcp any any eq 631
access-list LOCAL_LAN_SPLIT_FW_PUB extended permit tcp any any eq 9100
access-list LOCAL_LAN_SPLIT_FW_PUB extended permit udp any host 224.0.0.251 eq 5353
access-list LOCAL_LAN_SPLIT_FW_PUB extended permit udp any host 224.0.0.252 eq 5353

access-list LOCAL_LAN_SPLIT remark Client Local LAN Access
access-list LOCAL_LAN_SPLIT standard permit host 0.0.0.0

roup-policy AnyConnect-TEST internal
group-policy AnyConnect-TEST attributes
dns-server value xxx.xxx.xxx.xxx
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value LOCAL_LAN_SPLIT
split-tunnel-all-dns disable
smartcard-removal-disconnect disable
webvpn
anyconnect firewall-rule client-interface public value LOCAL_LAN_SPLIT_FW_PUB
anyconnect modules value vpngina,nam
anyconnect profiles value network_manager type nam
anyconnect profiles value test_v10 type user
anyconnect ssl df-bit-ignore enable
always-on-vpn profile-setting

--

Any Idea ?

Thank you.

Michael