Cisco CP8961 No Audio over NAT

I have been successfully running some Cisco phones with FreePBX on an internal network. Mainly CP8961 models

But when I tried to add some phones on a different network they will register into Freepbx ok, they can make and receive calls, except when the call answers there is no audio in either direction.
The same phone on the local network work fine. The only change being enabling NAT in both FreePBX and the SEPxxxxxxxxxx.cnf.xml

I have studied what I can find on the net for Cisco’s over NAT but cannot find anything that makes any difference.

Configs for extension and SEP file here.

We need more info about the networks?

Are the new networks in Asterisk SIP Settings?

I have tried several scenarios.
a. Server on local subnet @
any Cisco phone on this subnet work fine
b. a phone on separate network connected via router in same building
on register, ring and can dial out, but no audio
c. Server on external public IP, cisco on local subnet connected via adsl
again register, ring and can dial out, but no audio. Tried two different modems and locations
d. Server on Virtual host @ data centre, cisco on local subnet connected via adsl
    again register, ring and can dial out, but no audio

In each case I have used a control phone (a Grandstream) beside the Cisco and that phone works fine. Just the Cisco that have no audio.
I am trying to connect a remote Cisco back to a inhouse server with public IP. At present I am leaning towards three options:-

  1. update the firmware in the Ciscos currently SIP8961.9-1-1SR1
    current release is 9.4. I have seen some mention of certain firmware having "issues"
    But these are customer phones and the supplier no longer available so I am having trouble getting hold of the firmware as I have no access to Cisco support.

  2. run a VPN from the customers home back to the server.

  3. sell them non Cisco phones.

The phones themselves work fine in-house.I just feel I am missing something simple.

Sorry, but I realized I did not answer your question.
No the new networks are not in FPBX setup.
All external. But surely that should not be necessary?
Also all firewalls disabled to test.

Incorrect routing or NAT with SIP connections is guaranteed audio problems, simple as that. The Session Initiated by that protocol will have to know where to send that audio to, all your routers will need to either rewrite the SIP headers and rewrite the negotiated RTP stream correctly as per the SDP session agreed if they think they are clever enough or do what they are told, best that they do what they are told.

If these networks are connected they do not need nat so assuming you router I s routing and not translating you must declare all connected networks via localnet settings in FreePBX sip settings module

I thought I would complete this thread, by posting the (sort of) solution.

We never found a way to get the Cisco’s to correctly work over NAT.
If we fixed one thing, it broke another, so my advice is - Don’t try.

We installed relay freepbx boxes in each sub office (network).
(small Micro ATX’s running of San disks)
These SIP trunk back to the central unit.
The Cisco’s work happily on their own subnet.

In the remote office we replaced the phones with Grandstreams.

Problem Solved.

If you want it to work correctly, you need to configure your Asterisk SIP Settings module correctly, including the external IP and all the internal subnets.

Thanks, but we did all that. Started with the same SIP settings we have always sued for other brands of phones that work.
Tried every possible combination of SIP network settings possible. Spent many days on it.
Also different routers. If you do not have the SIP network settings correct, the Cisco’s will not even connect. With the correct settings of external IP, and all local subnets, they will register, dial out and receive calls,
Just would not have any Audio on the answered call.
All other brands of phones on the same network worked fine.

When we put a Freepbx local system on their network they worked fine.
From what I can see they just do not work over NAT.