dendiko - there could be several factors in play. your ISP do they impose any restrictions on VoIP (for example disallow certain port numbers) We use Verizon FIOS at one of our sites and they prevent VoIP ports from working. The problem you are seeing on the FW is the same thing we saw on the router using NAT and the CP's it all appears to be working according to the policy and rules however no communication. Not all applications can use NAT effectively. What we ended up doing is placing the Tadiran UGW/PUGW cards in front of the FWs. so we have an aggregation switch where everything is parallel plug a router into one of the ports and build crypto maps and the remote users have a low end Cisco router like a 8XX model. This works fine. Via ACL's if implemented correctly your router won;t even show up in a scan so your PBX and equipment will be fine. Also It keeps voice/data separate at the point of entry to your network, and the tunnels meets any compliance issues an auditor can think up.
