Hello,
I guess you are using a single STATIC IP for both NATing ( From internal machines to access internet) and as a VIP with portforwarding ( To access the internal machine from outside)
if that is true, you may have to place a policy to block the connections from your source IP.
Soruce int - any
source add - your static IP address (If you are using any other IP' s for NATing you can place that IP)
Destination inter - WAN 1
Destination Address - your static IP ( VIP)
Service - Any ( Can be blocked the particular service -, https, rdp etc)
Action - Deny.
Just try out and see.
Nihas [\b]