Hi,
As per the debug, the Firewall is handling the packet as expected.
tunnel.1:10.10.20.254/49292->10.10.10.7/1024,1(8/0)<Root> *** Packet reaching the firewall through tunnel
Permitted by policy 320002 ********** Allowed by default policy
packet send out to d48564438f9a through bgroup0 ********** Sent out to the LAN.
But the response packet is not seen.
Do you still have the Src-NAT configuration in place? Because, the Firewall is not NAT-ing the traffic as per the debug.
Also, is there a specific polic that you have configured for thsi traffic? Because, the traffic here is being allowed by the Default policy and not a specific policy (320002 is the default permit)
I would suggest:
<<<On SSG-20>>>
1. Create a new policy to allow this traffic
2. enable src-NAT, use Egress interface IP option on this policy
3. Test traffic flow
4. Collect debugs again if issue is not fixed (you may need to add more filters, to include the NAT IP as well)