I seem to be having a problem wrapping my head around what is going on or what to do.

What I have is two subinterfaces:

interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 10.10.2.254 255.255.255.0
ip access-group vlan10_in in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 10.10.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!

Now what I am trying to do is block the 10.10.3.x network from accessing the 10.10.2.x network BUT I want the 10.10.2.x network to be able to access the 10.10.3.x network.

The access list I setup is:

Extended IP access list vlan10_in
    10 deny ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255 log (7 matches)
    20 permit ip any any log

Now I setup logging to try to understand this better. When I try to PING from 10.10.3.x to 10.10.2.x I get:

*Dec 15 18:30:34.553: %SEC-6-IPACCESSLOGDP: list vlan10_in denied icmp 10.10.2.100 -> 10.10.3.100 (0/0), 1 packet

But when I try from 10.10.2.x PING 10.10.3.x I get nothing. The ping actually shows a "Destination net unreachable".

I know my logic is wrong because its not working.. but I'm trying to understand this better.

Without this access-list/group everything works fine. Both networks can get to the NET and see each other.