[Serusers] [Newbie question] - NAT/port messed up

Hello! I'm trying to make my 1st SIP-based system working. I use SER-0.8.14 on Linux Sarge. I have usually UAs behind NAT firewalls. I found a case, when UAs are working very oddly, I can't call from one of them, after sime time I can't reach one of them from outside, after some time when I call one UA, the 2nd is answering (and the same time when I call 2nd UA, the 2nd is answering). I have 2 UAs [Grandstream BT100 & X-Lite v2.0] behind a linux NAT firewall. Both UAs use the same STUN and SER server. I did some tcpdumps and I found an interesting thing: Internet Protocol, Src Addr: <FWPUBLICIP> (<FWPUBLICIP>), Dst Addr: <SERIP> (<SERIP>) User Datagram Protocol, Src Port: 1024 (1024), Dst Port: 5060 (5060) Session Initiation Protocol Request-Line: REGISTER sip:<MYDOMAIN> SIP/2.0 Method: REGISTER Resent Packet: True Suspected resend of frame: 31 Message Header Via: SIP/2.0/UDP <FWPUBLICIP>;branch=z9hG4bK0dbeeb499dbd416e From: "M70" <sip:70@<MYDOMAIN>;user=phone>;tag=d4de3110a63ddb36 SIP Display info: "M70" SIP from address: sip:70@<MYDOMAIN> SIP tag: d4de3110a63ddb36 To: <sip:70@<MYDOMAIN>;user=phone> SIP to address: sip:70@<MYDOMAIN> Contact: * Call-ID: 6ead5eb5744d407d@<IP PHONE LAN IP> CSeq: 100 REGISTER Expires: 0 User-Agent: Grandstream BT100 1.0.5.16 Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE Content-Length: 0 Internet Protocol, Src Addr: <SERIP> (<SERIP>), Dst Addr: <FWPUBLICIP>77.150.18 (<FWPUBLICIP>) User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060) Session Initiation Protocol Status-Line: SIP/2.0 200 OK Status-Code: 200 Resent Packet: False Message Header Via: SIP/2.0/UDP <FWPUBLICIP>;branch=z9hG4bK0dbeeb499dbd416e From: "M70" <sip:70@<MYDOMAIN>;user=phone>;tag=d4de3110a63ddb36 SIP Display info: "M70" SIP from address: sip:70@<MYDOMAIN> SIP tag: d4de3110a63ddb36 To: <sip:70@<MYDOMAIN>;user=phone>;tag=9ed85684aa54afbffef0a2d40b9935f4.71f6 SIP to address: sip:70@<MYDOMAIN> SIP tag: 9ed85684aa54afbffef0a2d40b9935f4.71f6 Call-ID: 6ead5eb5744d407d@<IP PHONE IP> CSeq: 100 REGISTER Server: Sip EXpress router (0.8.14 (i386/linux)) Content-Length: 0 Warning: 392 <SERIP>:5060 "Noisy feedback tells: pid=25451 req_src_ip=<FWPUBLICIP> req_src_port=1024 in_uri=sip:<MYDOMAIN> out_uri=sip:<MYDOMAIN> via_cnt==1" What is interesting is that REGISTER message went out from port 1024 but 200 OK came to port 5060. Is this OK? I think here is some problem and this can make the phones working oddly. SER is configured with nathelper+rtpproxy. ... if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n"); # This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling". fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; ... It is basically the sample nathelper configuration. Could anybody give me a hint? If it is a well-known situation, please point me to some other resources, I'm really a new-comer in SIP/SER. Thank you in advance! Kind regard, Tamas J.