I am using the 'router-on-a-stick' method with 5 VLANS and associated sub-interfaces. I created this access-list - 'access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255. This works as intended - I can ping the 172.30.X.X serial interfaces and I cannot ping the other vlan devices. However, I want to be able to ping my own sub-interface but none of the other VLAN sub-interfaces.
if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.
Don't forget that at the end of an access-list there is a "deny ip any any" command.
So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.