Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
0
Helpful
5
Replies

ISP - Routing of private addresses

curt-wwwww
Level 1
Level 1

‎05-07-2009 12:54 PM

Apologies if this is the wrong forum but it seems the closest to possibly helping us with our problem.

We have Internet service via cable (RoadRunner) and were having trouble with a VPN connection to one of our branch offices. The VPN would properly establish (to the public IP address), but we were unable to access hosts on the branch LAN.

The problem:

The inside subnet at the branch is 10.32.0.0/16.

What we discovered is that RR was routing that subnet on the public side of our network. I did not think that it was permissible for an ISP to route private address spaces on the public side, but they claim that they can and do.

Now, I would have thought that our requests from remote client to VPN site would go through the tunnel, but somehow because RR is routing that private subnet it never gets there.

Would appreciate any explanations or suggestions.

TIA

Labels:
0 Helpful
5 Replies 5

paolo bevilacqua
Hall of Fame
Hall of Fame

‎05-07-2009 04:35 PM

Hi, the thing is that with a proper VPN setup, an ISP should not ever see your private addresses.

To configure your VPN properly, refer to vendor documentation and support.

0 Helpful

curt-wwwww
Level 1
Level 1
In response to paolo bevilacqua

‎05-08-2009 09:35 AM

Thanks for your response. However, I'm pretty sure the VPN is configured properly.

1. It functions from all locations not serviced by RR, including EVDO aircards.

2. VPN config has been reviewed by Cisco TAC and found o.k.

I'm grasping for straws. Short of changing ISP or branch office subnet, I'm looking for work-arounds or references that might be applicable.

E.g.; Does anyone have a reference to an IETF/IANA document that actually forbids routing of private networks on public spaces (or is it actually permissible).

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to curt-wwwww

‎05-08-2009 02:32 PM

Nothing forbids routing of private addresses.

A proper VPN setup does not depend from routing of private addresses by ISP, or lack thereof.

Your VPN is "leaking" private addresses and that should not happen. You ought to find why. TAC should be able to help.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paolo bevilacqua

‎05-12-2009 11:25 AM

Curt

I agree with Paolo that in most VPN implementations the ISP does not see your priviate addresses and can not route them. Perhaps it would be helpful if you would post the configuration of the branch office device that implements the VPN? What is the branch office device that implements VPN?

HTH

Rick

HTH

Rick
0 Helpful

dgroscost
Level 4
Level 4
In response to Richard Burts

‎05-19-2009 12:31 PM

Is it possible that your cable provider sold you a package (such as SoHo) that does not allow VPN usage? I know with some cable companies the lower end packages do not allow for VPN connectivity - just a thought.

Config output would be helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents