Hi,I have a connection like below with my internet provider :

in my netflow system I see a lot of attempts to scan the IP connection from the X.X.X.X address on various ports
to the y.y.y.y address as well, but it is already behind my firewall where I cut off this traffic.

I just tried to do acl for deny src ip but it doesn't make sense.

I suspect that when I do acl:

deny ip any host x.x.x.75

and I will pin it to the interface as IN, it will probably block all traffic for the y.y.y.y subnet from the Internet because it is the next hop for the y.y.y.y subnet. Do I understand it correctly?

I only have icmp 161 and ntp open when I check e.g. with shodan. It will block these 3 protocols, but is this an effective solution?

router c8300 with ios xe