This stuff is rather complex. It involves converting the octets (the groups of numbers delimited by the periods) of the address or address range to binary, and then generating a "mask" that is used during comparison of the incoming address and the specified allow/deny directives.
A basic example would be that you want to deny 192.168.192.0 through 192.168.255.255
In binary (use the Windows calculator or equivalent) that is 11000000.10101000.11000000.00000000 through 11000000.10101000.11111111.11111111
Having derived that, you now need to generate either a netmask or a CIDR. The easiest way to do it is to line up the start/end addresses vertically, and then examine them to see which bits change between the first and last address of the range. Then mark those that don't change with ones and those that do with zeroes:
This yields the netmask, which when converted back to decimal octets is 255.255.192.0
To get a CIDR, you count the number of ones from the left, in this case 18.
So, you would use