Hello.
After migrate from nsx-v to nsx-t, firewall rule not work like before. In nsx-v environment I have snat rule translate internal ip to external ip and dnat rule to translate external ip to internal ip. Firewall rule on nsx-v edge look like this.
source destination app action
internal ip any any allow
any external ip icmp allow
With this config vm in internal can access internet and I can ping to external ip from external world.
But when migrate to NSX-T vm can access to internet like before but I can't ping to external ip. After investigate to nsx-t I found that 2 solutions to resolve this issue.
1 is change dnat firewall from match internall adress to match external address
2 or I can change firewall rule to this and leave dnat firewall to match internal address then I can ping external ip.
internal ip any any allow
any internal ip icmp allow
Is this normal behavior on nsx-t? The problem is when config DNAT on nsx-t edge from vcloud director, system always set dnat firewall to match internal address so my customer firewall rule not work as they expected many times and we must change to match external address from nsx-t manager or told them to change rule.