• DNAT rule is correctly processed on the service interface and the Firewall is applied correctly too.
• The problem is that on the egress on uplink or service link, there is no firewall rules configured to allow the packet through based on the internal IP. The session will be dropped when default rule is configured as "drop"

When the DNAT is configured with firewall match external address, the firewall is matching external IP address before the DNAT is happening, then DNAT happens and again firewall is matching for internal translated IP address.

Since there is no explicit firewall rule for internal translated IP addresses, the session is not flowing through.

This is an expected behaviour.

Routed non-distributed Org VDC network in NSX-T backed Org VDC works by attaching them via the Service Interface (Centralized Service Port - CSP) directly to the Tier-1 Service Router (SR). However, this has the following consequences:

NAT (source or destination) can be applied solely to that interface (it can be selected in the Advanced settings of the NAT rule). By default NAT rules are applied to every interface (meaning uplink and CSPs).
Firewall policy is also applied on the CSP interface. However, when the packet is transgressing through the CSP it might already be NATed at the Uplink port which means if the FW allow policy specifies pre-NAT IP (External) the rule will not match on the translated IP (Internal).
So when we have the CSP interface as downlink, the gateway firewall will get applied to it.

The firewall action on the uplink and CSP are independent as such each require the necessary firewall rule if the NAT action changes the IP and the rules are reliant on those IPs for the allow/drop action.

Workaround:

There are two possible workarounds

1.  Add a new firewall rule to allow the internal translated IP before migration.
2. Change the option to "firewall match internal IP" and rewrite the firewall rule to use the internal translated IP after migration.