Sam,
Thanks for the extra info. Knowing that the policies are applied "half-way through" the NAT process was the key.
Sadly, the logs made it worse, since they seem to use data from before any NAT.
As far as the test-abc application, ICMP is allowed via other policies (all the policies that end in -icmp).
Thanks!
...Ralph