I'm agree that it's "by design". But I don't understand why there is no reverse source NAT mapping in this case.
However, you're right. It was much easier than I thought. After making "source nat off":
user@r2> show security flow session source-prefix 192.168.20.135 destination-prefix 1.1.1.1
Session ID: 16603, Policy name: trust-to-untrust/4, Timeout: 1800, Valid
In: 192.168.20.135/63678 --> 1.1.1.1/22;tcp, If: fe-0/0/4.0, Pkts: 11, Bytes: 1721
Out: 1.1.1.1/22 --> 192.168.20.135/63678;tcp, If: .local..0, Pkts: 10, Bytes: 2281
Total sessions: 1
Thanks everyone.