Hi!

I'm experimenting with passing RTSP stream from IP camera to my PC through 2 FTD devices with NAT.
CAM is using separate UDP ports which are known from RTSP SETUP message sent from PC (client_port header) to transfer video.

Here's my setup:

PC ----- FW_1 ----- FW_2 ----- CAM

If CAM is published on the Internet by using standart RTSP TCP/554 port, video is working.
The interesting part comes in when I try to publish CAM on non-standard port, i.e. 555.

On FW_2 besides ACLs and NAT rule modifications I had to change default global inspection policy and include TCP/555 to be inspected as RTSP.
After this I end up with the situation where CAM video comes to FW_1 and dropped and I can't figure out why it's dropped.

If we look at the traffic dump, we will see that after the PC sends the RTSP SETUP with ports for video, it tries to reserve/preopen entries in the NAT table of FW_1 by sending UDP packets. Thus, before sending video from the camera, entries in the table for video were prepared in FW_1. But they don’t work (maybe it's because of for example Port Restricted Cone NAT realization, the video traffic will not fit into those preopened NAT entries, since the source port in the video traffic after FW_2 will not coincide with the entries in the nat table), or something else blocks the video traffic (for example in the attached file you can see that blocking occurs due to the last rule of Rule 19 - SNORT, however NAT is passed).

Rule 19 is basically the default deny ip any any at the end of ACP.

Why video unable to pass through FW_1?