how can we check it?

Using one of the following tools from the CLI:

• fw monitor (sk30583)
• cppcap (sk141412)
• tcpdump

Also what service object is used in your rule both to allow the traffic and for the NAT?

reverse traffic is not visible.

attached a screenshot of the objects.

Please check the routing is symmetric or that there are no ACLs on the router impacting the traffic.

Both objects are used in the NAT policy?

routing is symmetrical, both objects are in NAT, no ACLs

Maybe an ARP issue?

If you use source NAT (not clear from your post if its source or destination NAT), then there are cases where you have to take care of ARP.

This is what I mean:

Simple Topology:

whatever is behind the router <- ROUTER eth2 (10.0.0.1) <- eth1 (10.0.0.254) GATEWAY eth 2 (172.16.0.1) <- Client (172.16.0.20)

Example 1:

You set a source NAT with translating 172.16.0.20 to 10.0.0.254. This will work out of the box.

Example 2:

You set a source NAT with translating 172.16.0.20 to 10.0.0.200. This will only work, if you setup 10.0.0.200 as proxy arp address in GAIA for that interface or activated the automatic proxy arp feature. Or you put a static arp entry in your routers ARP table (not recommended). Or you set a route on your router routing 10.0.0.200/32 to 10.0.0.254 (unusual).

Example 3:

You set a source NAT with translating 172.16.0.20 to 5.5.5.5. This will only work, if you set a route on your router routing 5.5.5.5/32 to 10.0.0.254.

Need to investigate why the traffic doesn't reach the gateway, depending on your NAT configuration it might be proxy-ARP issue or a problem elsewhere.