I found a configuration like this on a router and it works, but I do not understand it. There is a NAT list with a deny statement at the beginning. When I look at the NAT translation, all NATs are using the source ip-address 192.168.2.111 of the interface, but this ip-address is denied in the list. So how does this work? I usually would configure the access-list 30 with permit 192.168.2.111 and deny any.
! interface FastEthernet0.99 description myIF encapsulation dot1Q 99 ip address 192.168.2.111 255.255.255.0 ip nat outside ip virtual-reassembly ! ip nat inside source list 30 interface FastEthernet0.99 overload !
access-list 30 deny 192.168.2.111 access-list 30 permit any