ISP - Routing of private addresses

Unanswered Question
May 7th, 2009

Apologies if this is the wrong forum but it seems the closest to possibly helping us with our problem.

We have Internet service via cable (RoadRunner) and were having trouble with a VPN connection to one of our branch offices. The VPN would properly establish (to the public IP address), but we were unable to access hosts on the branch LAN.

The problem:

The inside subnet at the branch is

What we discovered is that RR was routing that subnet on the public side of our network. I did not think that it was permissible for an ISP to route private address spaces on the public side, but they claim that they can and do.

Now, I would have thought that our requests from remote client to VPN site would go through the tunnel, but somehow because RR is routing that private subnet it never gets there.

Would appreciate any explanations or suggestions.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Thu, 05/07/2009 - 16:35

Hi, the thing is that with a proper VPN setup, an ISP should not ever see your private addresses.

To configure your VPN properly, refer to vendor documentation and support.

curt-wwwww Fri, 05/08/2009 - 09:35

Thanks for your response. However, I'm pretty sure the VPN is configured properly.

1. It functions from all locations not serviced by RR, including EVDO aircards.

2. VPN config has been reviewed by Cisco TAC and found o.k.

I'm grasping for straws. Short of changing ISP or branch office subnet, I'm looking for work-arounds or references that might be applicable.

E.g.; Does anyone have a reference to an IETF/IANA document that actually forbids routing of private networks on public spaces (or is it actually permissible).

Paolo Bevilacqua Fri, 05/08/2009 - 14:32

Nothing forbids routing of private addresses.

A proper VPN setup does not depend from routing of private addresses by ISP, or lack thereof.

Your VPN is "leaking" private addresses and that should not happen. You ought to find why. TAC should be able to help.

Richard Burts Tue, 05/12/2009 - 11:25


I agree with Paolo that in most VPN implementations the ISP does not see your priviate addresses and can not route them. Perhaps it would be helpful if you would post the configuration of the branch office device that implements the VPN? What is the branch office device that implements VPN?



dgroscost Tue, 05/19/2009 - 12:31

Is it possible that your cable provider sold you a package (such as SoHo) that does not allow VPN usage? I know with some cable companies the lower end packages do not allow for VPN connectivity - just a thought.

Config output would be helpful.


This Discussion