I'll take it this is Azure environment?
1. If you do not see the logs of your attempts to connect to the Web-Srv1, either allow or drop, start looking at routing.
run traceroute on your originator and see if you are hitting the firewall's interface (you may want to permit ICMP globally while troubleshooting).
2. You configure NAT not on the firewall's interface, but in the object's properties: I.e. if you are trying to permit outbound connection to the Internet only on the host or a network, choose "Hide NAT behind Gateway's IP". If you are trying to permit inbound or bidirectional access, use Static NAT.
3. From the limited information you have provided, I can only draw limited conclusions, so these may not be accurate:
If you are seeing only replies to your connectivity attempts, it looks like you have a route from your source to the Web-Srv1 that bypassing the Check Point gateway, but not in reverse. Instead, Web-Srv1 is using (probably) its default route that is pointing to the Gateway and that is what is getting logged.