You are talking in generalities about an issue where details are critically important.
A NAT does not normally modify the payloads of any packets; of course it does modify addresses in the IP header (that’s what NAT is) and may modify port numbers in the UDP or TCP headers, so multiple LAN devices can share a single public IP.
Some NAT devices include a SIP ALG that does modify the SIP payload, which often causes trouble for Asterisk and other VoIP servers. There is generally a way to disable it; for example see https://community.sophos.com/kb/en-us/123523 . If not, it can usually be worked around, by using nonstandard port numbers or SIP over TCP or TLS.
Since you have it working, there is probably no reason to mess with it anymore. However, it’s IMO not a clean solution. If possible, I would have put the modem in bridge mode so that the Sophos could receive a public IP, or forwarded all required ports to the Sophos. Then, with proper configuration there, it should be possible to have the PBX, all phones and the computers on the same LAN.