I'm trying out the setup of a static to dynamic IKEv2 IPsec VPN. 

The VPN is working, and pings from the client PC 2 in the image below (192.168.2.2) are successfully making their way to the client PC 1 in the topology. ISAKMP and IPsec SA stats are good.

In this end of the topology, I am simulating it as the dynamic end (in preparation for another lab). The ASA is behind edge router, and the router is performing PAT. The other end of the topology has an ASA that is not behind a router performing PAT.

From everything I've read, a NAT exemption needs to be created to prevent client VPN traffic from being worked on by PAT. As you can see, on my edge router, I have an ACL with the first entry being the client to client traffic.

Why is the VPN working when the entry is clearly having no hits? The 'any any' entry is increasing when the client 2 PC is pinging the client 1 PC. As you can see from the NAT translations, the inside local address shown is the IP of the ASA outside interface (is this because I haven't natted my 192.168.2.0 subnet to itself?), which may explain why R4 is not incrementing count for the exemption rule as it isn't actually receiving data from 192.168.2.0 clients.

How is the VPN working?

I'm pleased that it's working, but don't understand why.

Thanks.