Using a subnet directly on the DMZ segments to avoid any special needs regarding the NAT and DNS while at the same time using other subnet(s) directly on the ASA firewall "outside" facing the CeraNet distribution layer.
One thing to keep in mind with using multiple subnets on the interface facing the CeraNet distribution layer is that there have been changes from software version 8.4(2) -> 8.4(3) -> 8.4(4/5) in how the ASA operates with multiple subnets on one interface. This mostly depends on how CeraNet has handled the routing of your public subnets.
If CeraNet has, for example, configured a new public subnet as a "secondary" network on their gateway interface AND you are using 8.4(3) software you will run into problems with connectivity of the hosts in the "secondary" network range. This is because of changes to ARP related behaviour. Basically the ASA will not populate ARP table with nonconnected networks.
Your solution is either to ask CeraNet to route the new subnet directly towards the ASA "outside" interface IP address OR you will have to upgrade the ASA to 8.4(4/5) software level and use the configuration command "arp permit-nonconnected"
Reference URL: https://supportforums.cisco.com/docs/DOC-31116
