I would move this rule above the other one
rule VPN {
match {
source-address 192.168.0.0/22;
destination-address 10.0.16.0/21;
}
then {
source-nat {
off;
}
}
}
}
}
A good command to run would be
show security flow sesssion destination-prefix 10.0.16.0/21