I'm just starting to learn about route leaking today, so I'm still trying to figure this out.

In short, I've created three vlans and put them in a vrf and would like them to access the internet.  At this point, I have vrf created, vlans assigned and a global route leaked from the vrf to the gateway of last resort.  A machine in the vrf is able to ping all three vlan gateways, but cannot still get to the internet.

I have everything on a 6509 core switch, and my firewall is an ASA 5505.  I've also tried putting routing configs in using eigrp, but the vrf networks never made it to the ASA.  Attached are my configs on both.  If anyone could help me with what I'm missing that would be great.  Thanks!

****  6509 Config  ****

lab-core6509#sh run

Building configuration...

Current configuration : 22128 bytes

!

! Last configuration change at 17:31:43 pst Tue Jan 7 2014 by rmf

! NVRAM config last updated at 12:30:19 pst Tue Jan 7 2014 by rmf

!

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service sequence-numbers

service counters max age 5

!

hostname lab-core6509

!

boot-start-marker

boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin

boot-end-marker

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

aaa session-id common

clock timezone pst -8

clock summer-time PDT recurring

clock calendar-valid

ip subnet-zero

!

!

ip dhcp excluded-address 192.168.80.1 192.168.80.9

!

ip dhcp pool 192.168.80.0/24

   network 192.168.80.0 255.255.255.0

   default-router 192.168.80.1

   domain-name procopio-guest.com

   dns-server 8.8.8.8

!

ip vrf bingfish

rd 123:1

!

ip domain-name company.local

mls ip slb purge global

mls netflow interface

no mls flow ip

no mls flow ipv6

mls cef error action reset

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

diagnostic bootup level minimal

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric timer 15

!

redundancy

main-cpu

  auto-sync running-config

mode sso

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

!

!

interface Port-channel10

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1

switchport

switchport access vlan 500

switchport mode access

spanning-tree portfast edge

!

~SNIP~  (I don't think anyone cares about all the interface configs!)

!

interface Vlan510

description voice server net

ip address 10.90.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface Vlan666

ip address 10.90.253.1 255.255.255.0

!        

interface Vlan851

description bingfish client net

ip vrf forwarding bingfish

ip address 10.249.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface Vlan852

description bingfish server net

ip vrf forwarding bingfish

ip address 10.249.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface Vlan853

description bingfish management net

ip vrf forwarding bingfish

ip address 10.249.3.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface Vlan901

description guest network

ip address 192.168.80.1 255.255.255.0

ip access-group guest-net in

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface Vlan912

description internet perimeter

ip address 10.91.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

interface Vlan999

description management net

ip address 10.90.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

!

router eigrp 200

network 10.0.0.0

!

address-family ipv4 vrf bingfish

  autonomous-system 99

  network 10.249.1.0 0.0.0.255

  network 10.249.2.0 0.0.0.255

  network 10.249.3.0 0.0.0.255

  redistribute static metric 10000 100 255 1 1500

exit-address-family

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.91.1.2

ip route vrf bingfish 0.0.0.0 0.0.0.0 10.91.1.2 global

!

!

no ip http server

no ip http secure-server

!

ip access-list extended guest-net

deny   ip any 10.0.0.0 0.255.255.255

permit ip any any

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 30 0

line vty 0 4

exec-timeout 30 0

line vty 5 15

exec-timeout 30 0

!

ntp logging

ntp authenticate

ntp trusted-key 10

ntp clock-period 17179851

ntp source Vlan500

ntp master

ntp server 10.90.1.50 prefer

!

end

****  ASA 5505 Config  ****

lab-5505asa# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname lab-5505asa

domain-name company.local

names

dns-guard

!

interface Ethernet0/0

description inside

!

interface Ethernet0/1

description outside

switchport access vlan 2

!

interface Ethernet0/2

description dmz

switchport access vlan 4

speed 100

duplex full

!

interface Ethernet0/3

!            

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.91.1.2 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address <outside ip> 255.255.255.128

ospf cost 10

!

interface Vlan4

nameif DMZ

security-level 50

ip address 172.16.35.1 255.255.255.0

ospf cost 10

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name company.local

object-group service DM_INLINE_SERVICE_1

service-object tcp eq domain

service-object udp eq domain

service-object udp eq ntp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object host 10.90.1.10

network-object host 10.90.1.11

object-group network DM_INLINE_NETWORK_2

network-object host <outside ip>

network-object host<outside ip>

object-group service DM_INLINE_SERVICE_2

service-object tcp eq domain

service-object udp eq domain

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq 3008

port-object eq 3010

port-object eq ssh

object-group network DM_INLINE_NETWORK_3

network-object 216.9.240.0 255.255.240.0

network-object 68.171.224.0 255.255.224.0

object-group service DM_INLINE_TCP_4 tcp

port-object eq 3268

port-object eq 3269

port-object eq ldap

port-object eq ldaps

object-group network DM_INLINE_NETWORK_6

network-object host 172.16.35.12

network-object host 172.16.35.13

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_7

network-object host 172.16.35.12

network-object host 172.16.35.13

object-group network DM_INLINE_NETWORK_8

network-object host 172.16.36.45

network-object host 172.16.36.46

object-group service DM_INLINE_TCP_6 tcp

port-object eq 2598

port-object eq citrix-ica

port-object eq www

object-group service DM_INLINE_TCP_7 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_4

network-object host<outside ip>

network-object host <outside ip>

network-object host <outside ip>

object-group network DM_INLINE_NETWORK_5

network-object host 172.16.35.12

network-object host 172.16.35.13

object-group network DM_INLINE_NETWORK_10

network-object host 172.16.36.15

network-object host 172.16.36.42

object-group network xenapp_servers

network-object host 10.90.1.45

network-object host 10.90.1.46

network-object host 10.90.5.54

object-group network xendesktop_servers

network-object host 10.90.1.38

network-object host 10.90.1.54

object-group network DM_INLINE_NETWORK_11

network-object host 172.16.36.10

network-object host 172.16.36.42

network-object 10.80.1.0 255.255.255.0

group-object xenapp_servers

group-object xendesktop_servers

object-group network DM_INLINE_NETWORK_9

network-object host 172.16.36.27

network-object host 172.16.36.31

object-group network DM_INLINE_NETWORK_12

network-object host 74.117.58.150

network-object host 97.95.240.159

object-group network DM_INLINE_NETWORK_13

network-object 10.90.10.0 255.255.255.0

network-object 192.168.80.0 255.255.255.0

network-object 10.249.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_14

network-object 10.90.1.0 255.255.255.0

network-object 10.90.5.0 255.255.255.0

access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_12 any log disable

access-list outside_access_in extended permit tcp any host <outside ip>eq 3389 log disable

access-list outside_access_in extended permit tcp any host<outside ip>eq smtp log disable

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable

access-list dmz_access_in extended permit ip any any log disable

access-list inside_access_in extended deny ip host 10.90.100.25 any log disable

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable

access-list inside_access_in extended permit tcp host 10.90.1.27 host 172.16.35.11 eq smtp log disable

access-list inside_access_in extended permit ip 10.80.1.0 255.255.255.0 any log disable

access-list inside_access_in extended permit tcp host 10.90.1.33 object-group DM_INLINE_NETWORK_3 eq 3101 log disable

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_14 any object-group DM_INLINE_TCP_2 log disable

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 log disable

access-list inside_access_in extended permit udp host 10.90.1.50 any eq ntp log disable

access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_11 log disable

access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.27 eq smtp log disable

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 172.16.35.10 host 172.16.36.10 log disable

access-list DMZ_access_in extended permit tcp host 172.16.35.11 any eq smtp log disable

access-list DMZ_access_in extended permit tcp host 172.16.35.10 any object-group DM_INLINE_TCP_1 log disable

access-list DMZ_access_in remark rule for cag to owa

access-list DMZ_access_in extended permit tcp host 172.16.35.13 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_3 log disable

access-list DMZ_access_in extended permit tcp host 172.16.35.10 host 172.16.36.10 object-group DM_INLINE_TCP_4 log disable

access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_5 log disable

access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_6 log disable inactive

access-list slow-down extended permit ip 10.90.0.0 255.255.0.0 any

access-list slow-down extended permit ip any 10.90.0.0 255.255.0.0

pager lines 24

logging enable

logging trap debugging

logging asdm warnings

logging host inside 10.90.1.65 6/1470

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

asdm history enable

arp timeout 14400

global (inside) 2 interface

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 10.80.1.0 255.255.255.0

nat (inside) 1 10.90.1.0 255.255.255.0

nat (inside) 1 10.90.5.0 255.255.255.0

nat (inside) 1 192.168.80.0 255.255.255.0

nat (inside) 1 10.249.0.0 255.255.0.0

nat (DMZ) 1 172.16.35.0 255.255.255.0

static (DMZ,outside)<outside ip>172.16.35.10 netmask 255.255.255.255 dns

static (DMZ,outside) <outside ip>172.16.35.55 netmask 255.255.255.255 dns

static (DMZ,outside) <outside ip>172.16.35.50 netmask 255.255.255.255 dns

static (DMZ,outside) <outside ip>172.16.35.60 netmask 255.255.255.255 dns

static (inside,outside) <outside ip>10.90.1.21 netmask 255.255.255.255 dns

static (inside,DMZ) 172.16.36.31 10.90.1.31 netmask 255.255.255.255

static (inside,DMZ) 172.16.36.10 10.90.1.10 netmask 255.255.255.255

static (inside,DMZ) 172.16.36.27 10.90.1.27 netmask 255.255.255.255

static (inside,DMZ) 172.16.36.15 10.90.1.15 netmask 255.255.255.255

static (inside,DMZ) 172.16.36.42 10.90.1.42 netmask 255.255.255.255

static (inside,DMZ) 10.90.1.0 10.90.1.0 netmask 255.255.255.0

static (inside,DMZ) 10.80.1.0 10.80.1.0 netmask 255.255.255.0

static (inside,DMZ) 10.90.5.0 10.90.5.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

!

router eigrp 200

network 10.0.0.0 255.0.0.0

passive-interface default

no passive-interface inside

!            

route outside 0.0.0.0 0.0.0.0 209.242.145.129 1

route inside 10.0.0.0 255.0.0.0 10.91.1.1 1

route inside 10.249.0.0 255.255.0.0 10.91.1.1 1

route inside 192.168.80.0 255.255.255.0 10.91.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics host number-of-rate 3

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.90.1.50 source inside prefer

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect icmp

  inspect pptp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9ba1f1f89fa1a88af05e2fc5fdba3090

: end