You want to prevent your internal private ASNs from reaching the public Internet.

You have to be extremely careful that any unregistered ASNs that you may be using don’t propagate into the public Internet.

In this example, the router has a BGP connection to an ISP, which uses ASN 1. Our router uses ASN 2 and connects to another router with an unregistered ASN, 65500:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 1
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Serial1
Router1(config-if)#description connection to private network, ASN 65500
Router1(config-if)#ip address 192.168.5.1 255.255.255.252
Router1(config-if)#exit
Router1(config)#router bgp 2
Router1(config-router)#neighbor 192.168.5.2 remote-as 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 1
Router1(config-router)#neighbor 192.168.1.5 remove-private-AS
Router1(config-router)#no synchronization
Router1(config-router)#exit 
Router1(config)#end
Router1#

An unregistered ASN is a little bit like an unregistered IP address, in that anybody can use it. So if your routing prefixes have an unregistered ASN, this information is eventually passed to another router somewhere else in the Internet, and that router happens to be using the same unregistered ASN, then that router ...