Firewall/NAT

HI all,
I´d like to publish a vpn gateway and a webserver, my infrastructure looks like this:

Internet
     |
DSL Router
     |
1.1.1.1       Monowall WAN NIC
     |
2.2.2.2       Monowall DMZ NIC
     |
3.3.3.3       2nd Firewall DMZ NIC
     |
10.10.0.1   2nd Firewall LAN NIC
     |
10.10.0.2   WebServer LAN

I created a fw rule to allow all vpn (esp, udp 4500 and 500) and https traffic but only to address 3.3.3.3. I also use inbound NAT to map the ports accordingly (destination 3.3.3.3). When I now run an online port scan (my IP shows up as 1.1.1.1 for the scanner) the ports mentioned before occure unfiltered. But why? In my opinion a fw rule takes precedence over inbound NAT, so all the packages addressed to 1.1.1.1 during the portscan should be dropped. Only packages to 3.3.3.3 should be allowed! But the packages on those three ports are forwarded to 3.3.3.3. My intention to drop all packages not explicitely addressed to my 2nd firewall already at the Monowall WAN interface doesn´t work. Am I getting sth wrong?

Thx Willy