Does anyone know if the ASA supports classles subnets? I am breaking my public subnet into two and don't want to lose IP's by classfull restrictions
"I am trying to brake it into two, one for public (Outside) as x.x.x.192 255.255.255.228, which will give me first usable x.x.x.193 and last 218 "
228 is not a valid classless subnetmask. Classless subnetmasks follows as 2,4,8,16,32,64 and so on. You can not divide a 32 hosts of subnet into 1-30,30-32 . You can do 1-16,16-32 or 1-16,16-24,24-32 and so on
As long as the ASA is in routed mode (the default), it is not possible to have two interfaces with address overlap (what you are describing with your eth0/0 and 0/3). When you address your outside interface in the first half of the address space and your DMZ in the 2nd half, the ASA will know how to get traffic to both interfaces, as they are connected routes. You will be making this into two /28's, so your address range will be x.x.x.x.193 - 206 and your second range will be x.x.x. 209 - 222. By splitting this up, you must lose 2 more IP addresses (one to the broadcast, one to the network), so in this case, 207 and 208 are gone. This is the easiest way to do this. If you must use a /30 on the "DMZ", then the best you can do is a /28 on the outside, then you can divide up the remaining /28 however you see fit (2 /29's or 4 /30's), just remember, every time you divide it, you lose 2 ip's. The only way you can do what you describe is with a static NAT (which would then allow you to ACL the address however you see fit). This is probably the most common way to accomplish what you are hoping to do. Feel free to check the configuration guides for NAT and the command references, here: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/index.htm