Have block 123 port to internet on router.

Use access-list like

interface GigabitEthernet0/1
  ip address zz.zz.zz.zz 255.255.255.248
 ip access-group INB3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp

ip access-list extended INB3
  deny   udp any host zz.zz.zz.zz eq ntp
 deny   udp any host zz.zz.zz.zz eq snmp

 permit ip any any

and use:

access-list 2 remark "SNMP RO access"
access-list 2 permit yy.yy.yy.yy
access-list 2 deny   any log

access-list 44 remark ACCESS SYNC to NTP Serv
access-list 44 permit xx.xx.xx.xx
access-list 44 deny   any log

ntp access-group peer 44

But the snmp & ntp ports are not blocked.

Any idea, what might be the reseason.

Thank You in y Advance!