My extensions are definitely set to NAT NO, I have tried other settings too.
As far as I can remember the main Sip Settings nat is also set to no, (I will check on this)
It’s good to hear that what I want to do is possible, I was beginning to give up. I agree with comments above that the time spent is probably not worth it, but, well, maybe I’m too tenacious or maybe daft.
The only feature I regret not having is the working BLF for the expansion modules so the receptionist can see who is on a call, other than that, everything is great.
We give the receptionist a Grandstream GXP2140 with the separate lock on the side BLF module, even has bluetooth for a nice Jabra headset! the modules can be daisy chained too to add more extensions if needed.
We also have a white label FOP2 licence, and allows staff to dip into that on a webpage on their computer, to see who is on or off the phone across all the centres.
I think it’s definitely worth it, i am picking up up 7941’s for £20 odd quid and the colour 7971’s for £30 odd, an old HP DL server and some cheap POE switches, amazing value for money. And I like to get things to work! Hence why we have Raspberry Pi’s all over the place too, doing signage on 50" TV’s and running printer release stations and laptop signing out stations(we are a college). I remember 7 years ago, a team of suited and booted BT salesmen coming in to meet me and the boss to sell us their new hosted work anywhere solution, calls routed to desk phones or mobiles or any phone you designate, all hardware included in the deal, etc. We told them, “great sounds brilliant, how much?”, and with no hint of humour or sarcasm, “£100k, over x years”. Needless to say we laughed them out the office, and I built our system from scratch with 1 server and a few test extensions, for under £100 on eBay, and pretty much ticked all the features BT were offering! We now have over 150 extensions, 20 soft phones, fax machines, alarm systems all in, and no BT lines, just SIP
Some of your projects sound very familiar to me.
Only last week I was tasked with making the old Lexmark printers hold and release jobs., Which of course they can, but not without pressing a series of tiny buttons and reading from what I think is a 1980s mobile phone screen. It’s like solving a tiny Japanese puzzle every time you want to retrieve a print job.
So I have relieved my Pii from it’s current duties and I’m looking for software to do the same.
Next job is to find an external door intercom for the phone system.
We use a software called PaperCut, does all our printing needs, plus release stations, which come in all flavours including linux and an image for the pi, all our Ricoh photocopiers around the 4 sites, currently 12 of them are run from secondary servers on site and a primary server at HQ. Pi’s with touch screens and bar code readers at every copier. People print, it is held, they release on the Pi, if they don’t release, it auto deletes over night. Cheap for education, still not bad for commercial.
We have sip on our secure magnet doors, so it rings a subset of phones when someone presses the button. Fanvil i20T, great bit of kit, keypad, keyfob and sip phone all in one, with relays for magnets etc Think it’s been superceded by i21T or similar now.
Full of projects me 
I am currently overseeing a VDI project to get everyone off crappy aging PC’s onto proper serverside thin client working, although that project is around 6 figures, so not a cheap raid the parts bin job!
just a quick update…
I have tried an alternate SEP mac .cnf file today and the problem persists.
After going through the new config file and the old, it seems that the both do the same thing. I initially thought that the proxy settings were different but my existing cnf file just puts them in a different place.
I have, however, noticed that the Sophos UTM firewall is dropping a SIP packet from the Asterisk server addressed to the gateway of that VLAN during registration. (This packet must be the Asterisk reply to the phone which gets lost) I have triple checked the rules and even briefly tested an allow all rule but it still dropped this packet.
I am trying to work out why this happens.
No packets are dropped when the softphone registers from the same subnet. However, the initial registration request is replied to with a 401 unauthorised packet, the second packet sent from the phone is then replied to with a 200 ok registered.
So it seems when the softphone registers, the firewall doesn’t drop the first reply but with the Cisco phone it does.
Both say <-------Transmitting to 192.168.1.1 :5060 --------->
just to close this topic off.
the issue lay with NAT masquerading rules on our Sophos UTM. It is probably an issue unique to us so I wont go into detail.
Now that everything seems to be working I can conclude that as James said above, they do work fine.
However, if you are considering these phones in a solution like this beware, they are tricky to work with and unforgiving if you get anything even slightly wrong with your config. Once working they are reliable.
Many thanks to everyone above for their help. I would probably have given up without the help from James Hartley