Hello for everybody.

I need to allow tcp and udp 123 port on external asa interface from two external ntp servers and block from any other. 

The following acl is currently applied on the external interface

access-list OUTSIDE_NAT extended permit icmp any4 any4
access-list OUTSIDE_NAT extended permit ip any4 any4
access-list OUTSIDE_NAT extended permit udp any4 any4
access-list OUTSIDE_NAT extended permit gre any4 any4

access-group OUTSIDE_NAT in interface <name_outside_int>
access-group OUTSIDE_NAT out interface <name_outside_int>

To block port tcp/udp 123 from external side, i need to create new acl

access-list OUTSIDE_NAT_EXT permit udp host <ip_first_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit tcp host <ip_first_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit udp host <ip_second_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit tcp host <ip_second_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT deny udp any4 host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT deny tcp any4 host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT extended permit icmp any4 any4
access-list OUTSIDE_NAT_EXT extended permit ip any4 any4
access-list OUTSIDE_NAT_EXT extended permit udp any4 any4
access-list OUTSIDE_NAT_EXT extended permit gre any4 any4

And implement it in "in" direction of external asa interface

access-group OUTSIDE_NAT_EXT in interface <name_outside_int>

Is this correct?