• In a DNAT configuration, the <destination IP> is translated into the <translated IP>. Refer document Configure an NSX NAT/DNAT/No SNAT/No DNAT/Reflexive NAT
• The DFW is configured to use the <destination IP> as a filtering condition.
• The DFW is not functioning properly. For example, a block action cannot block the traffic as intended.

VMware NSX 4.X

By default, the firewall settings use “Match Internal Address”. For DNAT, the internal address refers to the translated destination address after NAT is applied. 
Therefore, in “Match Internal Address” mode, the DFW checks whether the <translated IP> matches the condition, not the original <destination IP>.

Change the firewall settings to "Match External Address"
For more details, please refer document Configure an NSX NAT/DNAT/No SNAT/No DNAT/Reflexive NAT