One thing though: For example Grandstream will use stun to keep nat open on all but symmetric NAT. If incoming keepalives (from the SIP server) are discarded, the NAT port assignment will time out. GS must be configured with NAT Yes and empty STUN server and it will send keepalives to the SIP server. I'm not sure why this is not done automatically when SNAT is detected...
Incoming keepalives would not refresh the conntrack timer, only an outbound packet can. For this reason, we already disable the nat-ping in ser. We rely on the UA to send out keepalive.
Are you sure? The initial REGISTER is the oubound packet and the nat pings are "replies" from the conntrack point of view. The corresponding conntrack entry should be in the ESTABLISHED or ASSURED state, if the timeouts are low enough (or the nat pings are sent often enough, <<30s).
(see udp_packet() in ip_conntrack_proto_udp.c and ip_conntrack_in() in ip_conntrack_core.c)
Our experience is that for most symmetric NATs the SIP server NAT pings work ok, however, we have had problems with LinkSys where inbound pings every 20 s do not seem to be able to keep the connection open. g-)