I compared a working one that I had from the same customer and I found the culprit:
<vcloud:DestinationPortRange>Any</vcloud:DestinationPortRange>
<vcloud:DestinationIp>external</vcloud:DestinationIp>
<vcloud:SourcePort>-1</vcloud:SourcePort>
<vcloud:SourcePortRange>Any</vcloud:SourcePortRange>
<vcloud:SourceIp>internal</vcloud:SourceIp>
<vcloud:EnableLogging>false</vcloud:EnableLogging>