I found a solution for this! I had to make the following policies:
untrust > trust (policy based VPN) - customer network to a wide object including the MIP.
trust > dmz (protected server) - allowing any; thus also the customer network as source address.
I see traffic hitting the first policy but not the latter. If I deny PING in my trust > dmz rule I see no traffic hitting either policy. PING isn't allowed through either.
This means that the customer network changes from being in the untrust to being in the trust zone during this process.
So as a conclusion I can say, that traffic hit both policies, but is only logged in the first one. A bit complex to comprehend, but it works.