VPN AnyConnect: Unable to Block Specific Ports Using VPN Filter

ElizabethKh · ‎10-21-2025

How can I filter the mentioned issue?
This is my VPN configuration

group-policy VPN-ANYCONNECT-CALL internal
group-policy VPN-ANYCONNECT-CALL attributes
dns-server value 172.80.10.30 172.80.10.31
vpn-simultaneous-logins 18
vpn-idle-timeout 5
vpn-filter value Deny_Policy_For-Anyconnect
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ANYCONNECT-CALL-SPLIT-ACL
default-domain value gpiclinic.ge
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools value ANYCONNECT-CALL
webvpn
anyconnect ssl dtls none
anyconnect mtu 1400
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect profiles value ANYCONNECT-CALL-PROF type user
anyconnect ssl df-bit-ignore enable

This is vpn-filter value Deny_Policy_For-Anyconnect configuration.

Result of the command: "show access-list Deny_Policy_For-Anyconnect"

access-list Deny_Policy_For-Anyconnect; 184 elements; name hash: 0xe5e4e88f
access-list Deny_Policy_For-Anyconnect line 1 extended deny udp any object-group DATAGRAM any object-group DATAGRAM (hitcnt=0) 0xb521692f
access-list Deny_Policy_For-Anyconnect line 1 extended deny udp any eq 13 any eq 13 (hitcnt=0) 0x62f2bf47
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any object-group DM_INLINE_TCP_28 any object-group DM_INLINE_TCP_27 (hitcnt=0) 0x8957e885
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq chargen (hitcnt=0) 0xc5549978
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq discard (hitcnt=0) 0x43d2fbc5
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq echo (hitcnt=0) 0x4707b25e
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq imap4 (hitcnt=0) 0xf9b11552
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq 137 (hitcnt=0) 0xba52c55a
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq 138 (hitcnt=0) 0xa769c40a
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq netbios-ssn (hitcnt=0) 0xc6e0dd06
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq pop3 (hitcnt=0) 0xf2ac95f8
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq login (hitcnt=0) 0x45b3ce06
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq chargen any eq daytime (hitcnt=0) 0xd8e5361a
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq 137 (hitcnt=0) 0xe6c552d3
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq 138 (hitcnt=0) 0xfcbb1a1b
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq netbios-ssn (hitcnt=0) 0x5843a2f9
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq pop3 (hitcnt=0) 0x0ae22ff1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq login (hitcnt=0) 0xb2807a62
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq daytime (hitcnt=0) 0x4e2fee80
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq echo (hitcnt=0) 0x59a3b110
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq 69 (hitcnt=0) 0xacfd547f
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq discard any eq telnet (hitcnt=0) 0xe28985f9
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq chargen (hitcnt=0) 0xf85de275
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq discard (hitcnt=0) 0xf7fb1485
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq echo (hitcnt=0) 0x518a9fec
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq imap4 (hitcnt=0) 0xa26a99b1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq 137 (hitcnt=0) 0x05b7cc44
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq 138 (hitcnt=0) 0x79c6d3d5
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq netbios-ssn (hitcnt=0) 0xbaa6ad97
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq pop3 (hitcnt=0) 0xfdae351c
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq imap4 any eq telnet (hitcnt=0) 0xd601ed94
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq chargen (hitcnt=0) 0x428c56c5
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq discard (hitcnt=0) 0xfa0da710
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq echo (hitcnt=0) 0x6c43740b
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq imap4 (hitcnt=0) 0x012c7767
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq 137 (hitcnt=0) 0x8bb775f1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq 138 (hitcnt=0) 0xcf1e7713
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq netbios-ssn (hitcnt=0) 0xd96856af
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq pop3 (hitcnt=0) 0x45439c21
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq login (hitcnt=0) 0x52fa334f
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq daytime (hitcnt=0) 0xd886730c
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq echo (hitcnt=0) 0x6c43740b
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq 69 (hitcnt=0) 0xee5653a6
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 137 any eq telnet (hitcnt=0) 0x59c9410e
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq chargen (hitcnt=0) 0x909700a8
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq discard (hitcnt=0) 0xbb0455c8
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq echo (hitcnt=0) 0x974391f3
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq imap4 (hitcnt=0) 0xe319ded0
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq 137 (hitcnt=0) 0xb11808cd
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq 138 (hitcnt=0) 0xdc038436
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq netbios-ssn (hitcnt=0) 0xe9965ce1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq pop3 (hitcnt=0) 0x52ccaea9
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq login (hitcnt=0) 0xe083f500
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq daytime (hitcnt=0) 0x39de9b05
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq echo (hitcnt=0) 0x974391f3
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq 69 (hitcnt=0) 0x567cda02
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 138 any eq telnet (hitcnt=0) 0x79aada9b
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq chargen (hitcnt=0) 0xf9655b0e
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq discard (hitcnt=0) 0xa62d7c17
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq echo (hitcnt=0) 0xc8c0748d
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq imap4 (hitcnt=0) 0x1e6f8ac7
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq 137 (hitcnt=0) 0x82390547
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq 138 (hitcnt=0) 0xc3b483f1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq netbios-ssn (hitcnt=0) 0x86c02992d
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq 69 (hitcnt=0) 0xf557fe62
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq netbios-ssn any eq telnet (hitcnt=0) 0x48438839
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq chargen (hitcnt=0) 0x227feb57
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq discard (hitcnt=0) 0xcb0123d3
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq echo (hitcnt=0) 0x934e49f7
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq imap4 (hitcnt=0) 0xaee71391
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq 137 (hitcnt=0) 0xa91ef561
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq 138 (hitcnt=0) 0xcc41480e
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq netbios-ssn (hitcnt=0) 0xd02faf95
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq pop3 any eq telnet (hitcnt=0) 0xe8348c14
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq chargen (hitcnt=0) 0xe15ec9ea
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq discard (hitcnt=0) 0xed747b7c
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq echo (hitcnt=0) 0x887d4323
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq imap4 (hitcnt=0) 0x9364d71f
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq 137 (hitcnt=0) 0xfb954603
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq 138 (hitcnt=0) 0x1a0b3868
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq netbios-ssn (hitcnt=0) 0xbba02cae
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq pop3 (hitcnt=0) 0xb64cb4bb
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq login (hitcnt=0) 0x48029f4a
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq daytime (hitcnt=0) 0xddefa6fc
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq echo (hitcnt=0) 0x887d4323
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq 69 (hitcnt=0) 0xaa4da313
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq login any eq telnet (hitcnt=0) 0xaf317a17
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq daytime any eq chargen (hitcnt=0) 0x24f62010
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq daytime any eq 69 (hitcnt=0) 0xfad1a93d
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq daytime any eq telnet (hitcnt=0) 0xa820729f
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq chargen (hitcnt=0) 0xf85de275
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq discard (hitcnt=0) 0xf7fb1485
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq echo (hitcnt=0) 0x518a9fec
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq imap4 (hitcnt=0) 0xa26a99b1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq 137 (hitcnt=0) 0x05b7cc44
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq 138 (hitcnt=0) 0x79c6d3d5
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq netbios-ssn (hitcnt=0) 0xbaa6ad97
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq pop3 (hitcnt=0) 0xfdae351c
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq login (hitcnt=0) 0xa50ba2d9
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq daytime (hitcnt=0) 0x1e54bead
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq echo (hitcnt=0) 0x518a9fec
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq 69 (hitcnt=0) 0xab9c2e03
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq echo any eq telnet (hitcnt=0) 0x6e8b8bdc
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq chargen (hitcnt=0) 0xb264805a
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq discard (hitcnt=0) 0xea27bd9c
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq echo (hitcnt=0) 0x71bbb5f7
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq imap4 (hitcnt=0) 0x2fa3fb2e
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq 137 (hitcnt=0) 0x2e9ea671
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq 138 (hitcnt=0) 0x841e6b6c
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq netbios-ssn (hitcnt=0) 0xd7b38806
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq pop3 (hitcnt=0) 0x96b215c1
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq login (hitcnt=0) 0x0be376c7
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq 69 (hitcnt=0) 0xcec3adb9
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq 69 any eq telnet (hitcnt=0) 0xf75580ff
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq chargen (hitcnt=0) 0x6e6e7718
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq discard (hitcnt=0) 0x5da84a6e
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq echo (hitcnt=0) 0x92bb5cf8
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq imap4 (hitcnt=0) 0x659f04a6
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq 137 (hitcnt=0) 0xc4c78a45
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq 138 (hitcnt=0) 0xc24a6172
access-list Deny_Policy_For-Anyconnect line 2 extended deny tcp any eq telnet any eq netbios-ssn (hitcnt=0) 0x5a79ee4e
access-list Deny_Policy_For-Anyconnect line 3 extended deny tcp any any eq echo (hitcnt=0) 0x8210e44c
access-list Deny_Policy_For-Anyconnect line 3 extended deny tcp any any eq 69 (hitcnt=0) 0x8ac32d16
access-list Deny_Policy_For-Anyconnect line 3 extended deny tcp any any eq telnet (hitcnt=0) 0x1aa227ef
access-list Deny_Policy_For-Anyconnect line 4 extended permit ip any any (hitcnt=1974489) 0x3f960343

However, it still appears that these ports are being accessed. For example, VPN-ANYCONNECT-CALL — the subnet is 192.168.0.0/28, and the logs show that the connected user with the IP 192.168.0.10 is trying to access 192.168.0.15 on port 139.
Please help us with this issue — how can we block these ports?
i need solution how can i block this ports.

Jonatan Jonasson · ‎10-21-2025

except for the last 4 lines, you're specifying source-ports in all of the deny statements.

for example, you're only blocking access to port 139 IF the source port is 19, 9, 7, 137, 138, 139, 110, 513, 69 or 23.

For a normal tcp connection where the source-port is probably a random socket between 1025-65535 it's not going to match these lines.
So it's unlikely that any of your deny lines will be hit.

If you want to block all traffic to tcp port 139, the relevant access-list entry should look like:
access-list Deny_Policy_For-Anyconnect line <#> extended deny tcp any any eq 139

(source port = any)

---
Please mark helpful answers & solutions
---

ElizabethKh · ‎10-21-2025

i have also this access list.

ElizabethKh · ‎10-21-2025

i have also these too

This is my attachment