I have a 1335 I am using between a PBX and the SIP provider. They are providing the SIP statically / no registration. They gave me the SIP server IP and assign what IP I need to use. I am having issues where the SIP ALG is not catching some SIP packets on outbound and letting them pass without modifying them to reflect the NAT address. This is causing call drops and/or loss of audio one/both directions randomly. I have a port forward of 5060 to the internal address of the PBX but that is it. I have tried to disable the ALG and set the PBX just to send the external address as the contact but that does not work for some advanced things like call transfers so I had to put it back. I have Wireshark running and have caught it doing that. A call will establish and during the call it will reinvite a few times and the last one it does the PBX sends a OK, sometimes a few times, but the contact is not modified and since it does not hear a reply it terminates the call. Since this is static I have to have 5060 ported threw the firewall or the calls do not come in. Any suggestions? Thanks! - Jeremy
Can you avoid the NAT and assign a public IP to the PBX? You can still have your firewall rules in place but no NAT. Presumably the PBX has a second IP interface for the phones.
Alternatively, and I don't know if the 1335 supports this but the TA900 series do for sure, would be to build a voice trunk type SIP toward the provider and a second one on the inside to the PBX. Then have voice grouped-trunk configuration to route your incoming phone numbers to the PBX and default out to the provider.
My suspicion is that the port 5060 inbound permit firewall rule is allowing traffic in without the ALG NAT fixup. Because it's a straight port forward it may not detect SIP. Alternatively it could be a bug. Check for newer firmware and/or the release notes on the firmware you're running under "errata" which is where known un-fixed bugs are listed. You may need to open a support case.
The TA900 with two trunks should definitely fix it. You can get away with a TA904 non-e model "on-a-stick" by using VLANs to its single ethernet interface.