access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo
access-list 101 permit ip any 10.1.1.0 0.0.0.255
ip add 172.16.1.2 255.255.255.0
ip access-group 101 in
ip access-list extended NET
deny tcp any any gt 1024 establish
permit ip any any
The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.
The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.