Cisco Catalyst 3550 Switch – VLAN ACL question

I can't seem to get Vlan ACLs to work properly. I want to be able to get to servers on the 10.100.x.x network as well as the 10.200.x.x network when I'm connected through the VPN. But, I want to prevent the 10.100.x.x network from seeing 10.200.x.x

Currently, I have 2 Vlans:

interface Vlan111
 description "vlan 111" 
 ip address 10.100.1.1 255.255.255.0


interface Vlan222
 description "vlan 222"
 ip address 10.200.1.1 255.255.255.0
 ip access-group vlan222_acl in
 ip access-group vlan222_acl out

And I have 2 servers connected to each VLAN:

!--- the below port is connected to a windows machine with static ip address 10.100.1.10 and gateway 10.100.1.1
interface FastEthernet0/4                            
 description server 1
 switchport access vlan 111
 switchport mode access

!--- the below port is connected to a windows machine with static ip address 10.200.1.10 and gateway 10.200.1.1
interface FastEthernet0/5                            
 description server 2
 switchport access vlan 222
 switchport mode access

The problem is when I configure vlan222_acl.

Here is what I enter:

ip access-list extended vlan222_acl
 deny icmp 10.100.0.0 255.255.0.0 10.200.0.0 255.255.0.0

But here is what gets applied to the running config:

ip access-list extended vlan222_acl
 deny icmp 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
!--- the above line is not what I actually entered in the terminal, for some reason 
!--- the source and dest ip addresses are getting replaced with zeros

Because of the above line, everyone now is unable to ping the server at 10.200.1.10. When I remove the line, ie
no deny icmp 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
then I can ping it again.

How can I restrict only 10.100.x.x from being able to ping 10.200.x.x?

Many thanks in advance for the help!
G