We typically recommend completely disabling SIP ALG (Application-level Gateway) and inbound NAT rules, allowing us to take care of that for you. As long as you have an active SIP registration you should be permitted to send and receive faxes. We do far-end NAT traversal. What that means is that when you contact us from a fax server on a private IP to register, that usually permits us to do bi-directional SIP messaging. We can usually capture your public and private IPs and do the right thing. ALGs mean well but usually just end up interfering. Many firewalls that feature SIP ALG do not understand T.38 re-invites and thus will not alter the IP addresses and ports for this re-invite and the subsequent acknowledgement. For details on disabling SIP ALG on Cisco ASA, see this link.