If you want port forwarding (which involves NAT) and at the same time keep public address, you can't really do that, it's one or the other. What you can do is to forward public address from CHR to PBX. If you can get another public address for CHR, it's simple. If that's not an option, it may be possible to do something with CHR's public address too, using action=route in prerouting. Not very nice solution, but basic idea is:
/ip firewall mangle
add chain=prerouting dst-address=<CHR's public address> protocol=<something> dst-port=<something> action=route route-dst=<gateway to PBX>
I'm not into SIP myself, so I don't know what exactly it needs, if it's few static ports or if it's more dynamic. But in extreme you should be able to route everything except few ports required by CHR:
/ip firewall mangle
add chain=prerouting dst-address=<CHR's public address> protocol=tcp dst-port=1194 action=accept comment="OpenVPN on CHR"
add chain=prerouting dst-address=<CHR's public address> protocol=tcp dst-port=22,8291 src-address=<admin's address> action=accept comment="CHR admin access"
add chain=prerouting dst-address=<CHR's public address> protocol=<something> dst-port=<something> action=route route-dst=<gateway to PBX>
For the record, action=route seems to be either broken or works somehow differently in v7 than it used to in v6.