Can you avoid the NAT and assign a public IP to the PBX? You can still have your firewall rules in place but no NAT. Presumably the PBX has a second IP interface for the phones.
Alternatively, and I don't know if the 1335 supports this but the TA900 series do for sure, would be to build a voice trunk type SIP toward the provider and a second one on the inside to the PBX. Then have voice grouped-trunk configuration to route your incoming phone numbers to the PBX and default out to the provider.
My suspicion is that the port 5060 inbound permit firewall rule is allowing traffic in without the ALG NAT fixup. Because it's a straight port forward it may not detect SIP. Alternatively it could be a bug. Check for newer firmware and/or the release notes on the firmware you're running under "errata" which is where known un-fixed bugs are listed. You may need to open a support case.
The TA900 with two trunks should definitely fix it. You can get away with a TA904 non-e model "on-a-stick" by using VLANs to its single ethernet interface.
I ended up contacting support and setting up transparent sip proxy to get it to work correctly. - Jeremy