Hello Helen
When you create an access list, and you do not apply it anywhere, it actually does nothing. In order for it to function, you must apply it to an interface and a direction. The interface you choose and the direction you choose will directly affect the results. Let’s say you have the following topology:
**SW1**--------(Fe0/1) R (Fe0/2)----------SW2
And you have the 172.16.104.0/24 subnet connected to SW1 and the 172.16.108/24 subnet connected to SW2. Let’s call these Network A and Network B respectively.
Now, the access list you have created is correct. It will not allow access FROM Network A TO Network B. Now you have to be sure on which interface of the Router to apply it to and in which direction.
The rule of thumb for extended access lists is to place them as close as possible to the source of the traffic. In this case, this is the 172.16.104.0/24 subnet. So, the interface of the router that is closest to the source is Fe0/1.
Now, which direction? Well the flow of data you want to block is FROM Network A TO Network B, or from SW1 to SW2. From the point of view of the Fe0/1 interface, this is INCOMING traffic.
So, you should put the command ip access-group 100 in on the Fe0/1 interface of the Router.
This should allow all traffic to go from 172.16.108.0/24 to 172.16.104.0/24 but not the other way around.
Now the problem that you are facing is the fact that you cannot ping from Network A to Network B which is what you want. But when you try to ping from Network B to Network A you also cannot ping. Why? Because the ping reaches its destination, but when it comes back as a reply, it is blocked by the access list. What you need is a reflexive access list so that any session initiated by A to B will be allowed to return.
You can learn more about reflexive access lists at this lesson.
I hope this has been helpful!
Laz