Many newbie network admins express difficulty with the subnet-versus-wildcard masking paradigm. It is a commonly held belief that a wildcard mask is simply the inverse of a subnet mask, and this is often the case, but not necessarily. Here's a brief rundown explaining the purpose of both mask types.
Subnet masking is an unfortunate product of the conversion from classful to classless IP routing that took place decades ago. When IP addresses were assigned a class (A through E) based on their first few bits, the class determined the scope of the network: /8 for class A, /16 for class B, and so forth. Classless Interdomain Routing (CIDR) was developed to provide a much more flexible, albeit more complex, address scheme involving the variable-length subnet masks we use today.
Subnet masks serve only to express a length of bits, matching the network portion of an IPv4 address from left to right. A subnet having a mask of 255.255.240.0 is the same as having a "length" of 20, or /20. In fact, there are only 33 possible IPv4 subnet masks, from 0.0.0.0 to 255.255.255.255, or from /0 to /32. So why go through the pain of dotted-decimal notation for such a simple array of values? Binary-to-decimal subnet mask calculation is taught in introductory networking classes simply to serve as a crucible to weed out the weaker network admins in training.*
Wildcard masks are much more flexible than subnet masks, as there is no requirement for contiguity. In the Cisco world, the bits are opposite from subnet masks, so that a 0 matches and a 1 does not. It is common practice for access list wildcard masks to appear as the inverse to the subnet mask of the network being formed; for example, 0.0.0.255 matches any value for the last octet of an IP address in a 255.255.255.0 subnet. But this isn't strictly necessary. One can achieve all sorts of strange matches with a wildcard mask; some examples are given here in IOS ACL syntax:
Match all 192.168.x.1 addresses:
permit 192.168.0.1 0.0.255.0
Match only even 192.168.x.0/24 subnets:
permit 192.168.0.0 0.0.254.255
Note that neither of the wildcard masks above are contiguous; rather than matching a length from one side of the address to the other, each bit is matched (0) or ignored (1) independently.
A parting tip: you can determine the wildcard to match a subnet by subtracting each subnet mask octect from 255. Examples for /25 and /18 subnets are given below:
255 255 255 255 - 255 . 255 . 255 . 128 (/25) ----------------------- 0 . 0 . 0 . 127
255 255 255 255 - 255 . 255 . 192 . 0 (/18) ----------------------- 0 . 0 . 63 . 255
* Actually, I have no idea. Anyone who knows the real reason please post in the comments.