Notes

We wanted to establish an IPsec site-to-site VPN between a Cisco ASA and a Sophos XG. The Sophos properly routed the traffic into the tunnel, but the Cisco didn't. It seemed like the VPN traffic was routed to the Internet, because a tracert showed a public IP address.

The solution was very simple: We just forgot to tick the NAT Exempt checkbox in the list of the connection profiles.

As far as I understand this, this is because the VPN connection is bound to an interface, where a default NAT rule might apply. Ticking this checkbox creates NAT exemption rules, preventing the default rule to apply.