This is strange. The usual setup is to do NAT traversal on the Asterisk side. The phone doesn’t know its public IP and should always send its private address in Via, Contact and SDP.
Phones usually have an option to use STUN or get its public IP from the Via received tag; with Asterisk, this is generally undesirable.
The remote router/firewall may have a SIP ALG that substitutes its public IP in various fields; these are notoriously buggy and should generally be disabled.
Force rport tells Asterisk to ignore the private address in the Via header of (for example) a REGISTER request, and send the reply to whatever IP and port the request was received from.
Rewrite Contact tells Asterisk to ignore the private address in the Contact header and send INVITEs for incoming calls to the IP/port from which the REGISTER request came.
Asterisk sends the INVITE with its public IP and an appropriate port (default between 10000 and 20000) in the SDP. When it receives the 200 OK from the phone (containing a private address in the SDP), it will indeed send a few RTP packets to an unroutable address; this is useless but harmless. But as soon as it starts receiving RTP from the phone, it will start sending RTP to whatever IP and port the incoming RTP is coming from. That’s what Symmetric RTP means.
Even if the remote router/firewall rewrote the source port on the RTP from the phone, the RTP that Asterisk sends should reach the phone, because the router/firewall sees these packets as replies to the phone’s RTP.
After disabling any ALG in the path, if you still have trouble, can the caller hear the callee? If not, troubleshoot that first – this has nothing to do with SDP sent by the callee. If yes, find out why the returned packets aren’t reaching or being played by the phone.
If you can’t fix this by yourself, please paste the Asterisk log for a failing call, with pjsip logger turned on, at pastebin.com and post the link here. If you redact any data, make it clear what each item represents (Asterisk public IP, phone public IP, called number, calling number, trunk username, etc.)