Hello.

 After migrate from nsx-v to nsx-t, firewall rule not work like before. In nsx-v environment I have snat rule translate internal ip to external ip and dnat rule to translate external ip to internal ip. Firewall rule on nsx-v edge look like this.

source       destination      app     action

internal ip        any             any       allow

any              external ip        icmp     allow

With this config vm in internal can access internet and I can ping to external ip from external world.

But when migrate to NSX-T vm can access to internet like before but I can't ping to external ip. After investigate to nsx-t I found that 2 solutions to resolve this issue.

1 is change dnat firewall from match internall adress to match external address 

2 or I can change firewall rule to this and leave dnat firewall to match internal address then I can ping external ip.

internal ip        any             any       allow

any              internal ip        icmp     allow

Is this normal behavior on nsx-t? The problem is when config DNAT on nsx-t edge from vcloud director, system always set dnat firewall to match internal address so my customer firewall rule not work as they expected many times and we must change to match external address from nsx-t manager or told them to change rule.