Access List Question?

[grasscutter]

I have an pc with an internal address 193.33.20.114, (I know an external inside address) and i have an access list as follows...

interface Ethernet0/0
ip address 193.33.20.15 255.255.255.0
ip access-group 100 in

access-list 100 deny ip 193.33.20.0 0.0.0.255 any (Line 1)
access-list 100 permit ip host 193.33.20.35 any (Line 2)

...When i have my ip addres set to 193.33.20.114 i cannot ping the ethernet 0/0 interface. I get a

destination net unreachable
destination net unreachable
destination net unreachable
destination net unreachable

This i understand.

However, when i set my pc to ip address 193.33.20.35 i can then ping the ethernet interface with..

reply from 193.33.20.15: bytes=32 time=2ms TTL255
reply from 193.33.20.15: bytes=32 time=2ms TTL255
reply from 193.33.20.15: bytes=32 time=2ms TTL255
reply from 193.33.20.15: bytes=32 time=2ms TTL255

...What i dont understand is why i can ping Ethernet0/0 with i ip address set to 193.33.20.35 since i thought Line 1 would have blocked access to ethernet0/0 before line 2 was reached?

I thought access lists worked on the basis that the first hit would cause the every device on the 193.33.20.0 network to be hit by line 1 and therefore block access for all devices on the 193.33.20.0 network.

Why is line 1 being passed over to line 2 for host 193.33.20.35?

Any ideas would be greatly welcomed.

Regards,

Grasscutter.

 

[watchguardmonkey]

Because there is an implicit deny at the end of every access-list, what your access list for the deny in effect is a double negative, so with the access list working on specifics your permit will be allowed, ie your deny before the permit is not needed.

hth.