Try capturing the SIP packets from the customer and open the capture file with Wireshark. Notice the SDP message in the SIP Invite and see what IP the device is telling the SIP partner to send audio back to.
This would be the next step to diagnosing this problem. Also monitor the replies from Vonage on UDP port 5060/5061. SIP is a signaling protocol, used to establish an RTP media session on another UDP port. There is no way to statically forward ports back to the customers SIP device as you don't know which ephemeral RTP port is being used for the audio. I believe there are iptables/conntrack decoders for SIP that will allow it through the firewall dynamically.
Vonage targets the consumer, who 99% of the time has a little wifi AP in their home, so most of their target market is behind NAT. I believe they use the STUN protocol to traverse NAT routers. Do you know what specific ATA the customer has?