I have been forced by unforeseen circumstances to move from a Watchguard to a Cisco ASA 5510 at my client's site. They have an onsite webserver that has traditionally been on a separate subnet (192.168.2.40) while the SQL server lives on the main LAN (192.168.27.5).
The issue is that I need to allow SQL traffic from 192.168.2.40 (webserver) - 192.168.27.5 (sqlserver). The only ports I want open are 1433-1434 (all other traffic should be locked down). The webserver also needs to receive traffic from the outside world on ports 80 and 443, but I have that piece working.
Here are pertinent pieces of the config:
ip address 126.96.36.199 255.255.255.248
ip address 192.168.27.254 255.255.255.0
ip address 192.168.2.1 255.255.255.0
global (outsideworld) 101 188.8.131.52-184.108.40.206 netmask 255.255.255.248
static (WebsiteDMZ,outsideworld) tcp 220.127.116.11 www 192.168.2.40 www netmask 255.255.255.255
static (WebsiteDMZ,outsideworld) tcp 18.104.22.168 https 192.168.2.40 https netmask 255.255.255.255