I'm having a problem getting a standalone VTC box working. We're replacing Cisco ASAs with PA-500s at our sites, so there are existing rules that should be working when translated to Palo Alto. I'm fairly confident I have the requirements down: tcp/1720 (h323) tcp/5060 (sip) tcp/5061 (sip-tls) udp/5060 (sip-udp) tcp/60000-64999 (media-tcp) udp/60000-64999 (media-udp) We have the VTC box in the site DMZ, with the outside IP translated like so: Src Z: Outside Dst Z: Outside Dst If: any Src IP: any Dst IP: 1.1.1.1 (our fake public IP) Svc: any Dst Translation: 10.1.1.10 (our fake VTC internal IP) ...and the relevant ACL: Src Z: Outside Dst Z: DMZ Src IP: any Src User: any Dst IP: 1.1.1.1 App: any Svc: Service Group "vtc" (contains the services named above) Action: Allow There's another ACL to allow Src Z: DMZ to Dst Z: Outside on any traffic. Now here's what happens: - Using the famous VTC Callback test site (71.14.2.158), the call connects, but there's no audio/video. This usually means the UDP/TCP media ports aren't being allowed in. - From outside, connecting to 1.1.1.1 on tcp/1720 succeeds. I've tested with another outside VTC, and with telnet 1.1.1.1 1720. No audio/video, though. - Using the debug dataplane packet-diag series of commands to log rx, tx, firewall, and drop to separate pcap files, I see in the firewall capture all of the call setup stuff. Looks good. However, in the drop log, I see the incoming UDP packets to port 60232 (for example) being dropped. So, I don't see why incoming on tcp/1720 works, but using the same rule to allow UDP on 60,000 - 64,999 would drop packets to 60,232.
... View more