To recognize this symptom and provide a permanent workaround to address it.

Symptoms:
The DNAT works on the way to the physical IP and the physical IP returns. However, the return traffic is NOT translated(un-natted). This means the return traffic reaching the VM is from the externally natted IP and the VM is dropping the Syn-Ack as not meant for it. Communication is unable to take place.

VMware NSX-T Data Center

In this scenario, "Double Inspection" is needed on the edge, which is not enabled by default. When the traffic returns on the uplink, only the traffic IN is being matched which does not find the DNAT state.

On NSX-T Edge where the double inspection is to take place:

nsx-edge> get firewall <T1 Uplink UUID> param one_state_opt value
nsx-edge> set firewall <T1 Uplink UUID> param one_state_opt value 0

Note: Above configuration change does not persist after placing edge node into NSX Maintenance Mode or rebooting.

Workaround:
To make the above value of "0" persist across reboots and NSX Maintenance Mode, use the following API call process:

// Before running API
yalee-svc> get firewall fxxxxxx9-4xx0-4xx8-8xxd-7xxxxxxxxxx9 param one_state_opt
one_state_opt : 1

// After running API
yalee-svc> get firewall fxxxxxx9-4xx0-4xx8-8xxd-7xxxxxxxxxx9 param one_state_opt
one_state_opt : 0

Following are the details:
----------------------------

1. Configure GeneralSecuritySettingsProfile
1.1 Create profile.json that looks like:

{
    "enable_double_flow" : true,
    "resource_type" : "GeneralSecuritySettingsProfile",
    "display_name" : "nat-security-profile"
}

1.2 Run following API to create the profile object:

curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' -X POST https://<NSX-T-Manager-IP>/api/v1/firewall/profiles -d "`cat profile.json`"

// To Review:
curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' https://<NSX-T-Manager-IP>/api/v1/firewall/profiles?resource_type=GeneralSecuritySettingsProfile

2. Configure ServiceConfig:
2.1 Create service_config_highline.json that looks like:

Note: The profile target_id can be found by running the view command in Step 1.2. The Logical Router target_id should be the LR UUID of the logical router of the UPLINK port where you want to run the firewall param NSX CLI. I'm setting to 2 logical routers here but you can set on one or more.

{
    "display_name" : "testServiceConfig",
    "profiles": [
        {
            "profile_type":"GeneralSecuritySettingsProfile",
            "target_id":"6xxxxxxa-exx0-4xxa-9xxf-7xxxxxxxxxx3"
        }
    ],
    "precedence": 10,
    "applied_to": [
        {
            "target_type": "LogicalRouter",
            "target_id": "2xxxxxx7-bxx7-4xxe-8xx7-9xxxxxxxxxx6"
        },
        {
            "target_type": "LogicalRouter",
            "target_id": "7xxxxxx9-2xx6-4xxd-bxx2-7xxxxxxxxxx3"
        }
    ]
}

2.2 Configure service-configs object

curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' -X POST https://<NSX-T-Manager-IP>/api/v1/service-configs -d "`cat service_config_highline.json`"

// to review
curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' https://<NSX-T-Manager-IP>/api/v1/service-configs

root@nsx-t-lm-a:/tmp# curl -k -H 'Content-Type:application/json' -u 'admin:<password>' https://nsx-manager-ip-or-fqdn/api/v1/firewall/profiles?resource_type=GeneralSecuritySettingsProfile
{
  "results" : [ {
    "enable_double_flow" : true,
    "resource_type" : "GeneralSecuritySettingsProfile",
    "id" : "4xxxxxx8-2xxa-4xxb-axx4-axxxxxxxxxxe", <<<<<<<<<<< profile target_id
    "display_name" : "nat-security-profile",
    "_create_user" : "admin",
    "_create_time" : 1626133182389,
    "_last_modified_user" : "admin",
    "_last_modified_time" : 1626133699695,
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_revision" : 1
  } ],
  "result_count" : 1,
  "sort_by" : "display_name",
  "sort_ascending" : true
}