Only allow connection to single host on isolated network

CMUnityMgr · ‎11-19-2021

I have a Catalyst 3750-X switch that appears to be used for a connection to an isolated network. I am trying to find a way to only allow traffic from a specific subnet to access a single host that is to be used as a jump server of sorts for secure access.

Currently only Privileged Access Workstations on the designated subnet are able to ping servers on the isolated network, so that part is working partially, but I want to ensure that the only access designated devices on the specified subnet have access to is the jump station host and not any of the servers. The route I am trying to set up to get to the isolated network is as follows:

Privileged Access Workstation (10.7.1.XXX) > Jump Server (192.168.4.XXX) > Isolated Network Servers (192.168.4.XXX)

Is there a way to set the switch to only hit the Jump Server while blocking traffic from the 10.7.1.XXX network unless it is going to the Jump Server? I appreciate any help with this, as I inherited the network and am unsure of how some things have been done.

balaji.bandi · ‎11-19-2021

yes you can implement ACL

is the privsate confiured on Physical Interface, or interface vlan SVI ?

show us example config of your switch port configured.

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CMUnityMgr · ‎11-19-2021

Yes, it is configured and traffic is passing through to the isolated network. I'm not sure what changes need made to prevent access to the entire isolated network versus just the Jump Server like what is intended.

MHM Cisco World · ‎11-20-2021

follow

paul driver · ‎11-21-2021

Hello

@CMUnityMgr wrote:

, but I want to ensure that the only access designated devices on the specified subnet have access to is the jump station host and not any of the servers.

Privileged Access Workstation (10.7.1.XXX) > Jump Server (192.168.4.XXX) > Isolated Network Servers (192.168.4.XXX)

So just to confirm any or specific host from (10.7.1.xx) can access jump server(192.168.4.xx) but not anything else within the jump server subnet?

Example
host =10.7.1.10
Jumper server= 192.168.4.10/24

ip access-list exteneded jumpserver-access
permit ip host 10.7.1.10 host 192.168.4.10
deny ip any 192.168.4.0 0.0.0.255
permit ip any any

You need to apply this access-list to the device and interface that is performing the inter-vlan routing for your LAN,it could be either a L3 switch/rtr or fw).

int x/x
description workstation vlan 
ip access-group jumpserver-access IN

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CMUnityMgr · ‎11-22-2021

So just to confirm any or specific host from (10.7.1.xx) can access jump server(192.168.4.xx) but not anything else within the jump server subnet?

I apologize if I wrote it in a confusing way. What I am trying to ensure is that only hosts on the 10.7.1.X subnet can reach the Jump Server on the 192.168.4.X, but no other devices on the 192.168.4.X subnet.

For example, if we had a server at 192.168.4.254 I do not want the hosts on the 10.7.1.X subnet to be able to hit that. They should only be able to hit the Jump Server at 192.168.4.100 and nothing else on that subnet.