Subnet masks and access list masks are similar in that they both are defining which bits in an address are significant (they must match) and which bits are not. But the two types of masks achieve it in almost opposite ways. In a subnet mask the binary 1 indicates a must match bit and a binary 0 indicates a do not care bit. In access list masks the binary 1 is do not care bit and binary 0 is must match bit.
Also note that a 255 is all binary 1s and a 0 is all binary 0s.
So consider the expression 192.168.3.0 255.255.255.0. If we consider this as a subnet mask (ip address 192.168.3.0 255.255.255.0) then we are saying that the first octet must be 192 (255 mask is all 1s and is must match), the second octet must be 168, the third octet must be 3, and the fourth octet can be anything (0 mask is all 0s is do not care). If we consider the same expression in an access list (permit 192.168.3.0 255.255.255.0 then we are saying that anything can be in the first octet (255 mask is all 1s is do not care), anything can be in the second octet, anything can be in the third octet, and the fourth octet must be 0 (0 mask is all 0s is must match).
Subnet masking and access list masking can be a bit difficult but they are fundamentally important topics. Best luck in continuing to try to understand them.
I believed from the context of the original post that he was asking about the router style syntax of access lists which use inverse masks for access lists. You have posted a good link which assumes that the question was about PIX access lists which use normal subnet masking in access lists. Perhaps we should ask the original poster to clarify which context and which type of access list he was asking about.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...