When a sqlserver client app connects to the default instance of the sql server the connection goes to the TCP port 1433. However I agree the named instance port is dynamic but may not require a different approach.

When a connection to a named instance of the sql server is made, the connection goes to the sql browser service which listens on the UDP port 1434 (so we can control access to this UDP port and therefore prevent the handoff to the named instance port ever being requested). The sql browser service replies to the client with port no. on which the named instance of the sql server listens and then the client is redirected and connects to the port no. provided by sql server service.

I do not know why Microsoft cannot pursuade CISCO to write a "SQLServer FIXUP" which would solve the problem of dynamic ports (we have this in the Oracle world as well).

If 1434/udp is closed to others, the only way in for forbidden users now is a hack on the dynamic port which is beyond my skills and knowledge. I would only hope that if my servers are reasonably difficult to get into an intruder would look elsewhere for his kicks. Omitting the "eq" directive in the ACL makes the scope "all ports" and would put the router back in control of who is accessing the sqlserver and from where but may be too general (all ports) for individual ips passed by the filter, unless the sqlserver was correctly hardened.