Configure Asterisk with Kamailio

I am having audio problem with phones behind another NAT (I have my Asterisk PBX inside a NAT and my phones inside another NAT).

Searching the internet, I found that this is known issue due to udp port forwarding between NATs.

I also found that we can solve this problem by using a middle man like Kamailio (OpenSER).

But I could not find how to configure asterisk with Kamailio for NAT traversal only.

Appreciate any help on this.

I don’t see any problem other than duplicate localnet settings.

Also, I would obsuce your externip

You don’t have FreePBX installed!

Do you have any SIP alg stuff turned off in the router that is attached to the Asterisk system?

Yes, I have FreePBX installed.

Yes I have SIP ALG in my router.

I tried both ON and OFF.

I prefer not to use SIP/RTP proxy because, as you said, it is very difficult to setup.

If there is no other alternative, then I have no option except go for it.

If you’re still considering a SIP/RTP proxy for NAT transversal, it’s not going to be an easy task but it certainly is possible. If you’re still up for it, there is documentation on how to configure OpenSIPS (fork of OpenSER and Kamailio’s counterpart) to work with Asterisk. You can view the documentation here:

Note that while this kind of implementation may be complex, it is a viable solution for your problem. There are commercial services that offer the same service for residential VoIP service:

I am just using DMZ till I get it working, then I will limit to required ports only.

Yes, I test it with several routers and same problem.

Below is my sip settings:

Global Settings:

UDP SIP Port: 5060
UDP Bindaddress:
TCP SIP Port: Disabled
TLS SIP Port: Disabled
Videosupport: Yes
Textsupport: No
Ignore SDP sess. ver.: No
AutoCreate Peer: No
Match Auth Username: No
Allow unknown access: Yes
Allow subscriptions: Yes
Allow overlap dialing: Yes
Allow promsic. redir: No
Enable call counters: No
SIP domain support: No
Realm. auth: No
Our auth realm asterisk
Call to non-local dom.: Yes
URI user is phone no: No
Always auth rejects: Yes
Direct RTP setup: No
User Agent: FPBX-2.8.1(
SDP Session Name: Asterisk PBX
SDP Owner Name: root
Reg. context: (not set)
Regexten on Qualify: No
Caller ID: Unknown
From: Domain:
Record SIP history: Off
Call Events: Off
Auth. Failure Events: Off
T.38 support: No
T.38 EC mode: Unknown
T.38 MaxDtgrm: -1
SIP realtime: Disabled
Qualify Freq : 60000 ms

Network QoS Settings:

IP ToS RTP audio: EF
IP ToS RTP video: AF41
IP ToS RTP text: CS0
802.1p CoS SIP: 4
802.1p CoS RTP audio: 5
802.1p CoS RTP video: 6
802.1p CoS RTP text: 5
Jitterbuffer enabled: No
Jitterbuffer forced: No
Jitterbuffer max size: -1
Jitterbuffer resync: -1
Jitterbuffer impl:
Jitterbuffer log: No

Network Settings:

SIP address remapping: Enabled using externip
Externrefresh: 10
STUN server:

Global Signalling Settings:

Codecs: 0x3c1fff (g723|gsm|ulaw|alaw|g726|adpcm|slin|lpc10|g729|speex|ilbc|g726aal2|g722|h261|h263|h263p|h264)
Codec Order: ulaw:20,gsm:20,slin:20,g726:20,g729:20,g723:30,alaw:20,g726aal2:20,adpcm:20,lpc10:20,g722:20,speex:20,ilbc:30
Relax DTMF: No
RFC2833 Compensation: No
Compact SIP headers: No
RTP Keepalive: 0 (Disabled)
RTP Timeout: 10
RTP Hold Timeout: 300
MWI NOTIFY mime type: application/simple-message-summary
DNS SRV lookup: Yes
Pedantic SIP support: No
Reg. min duration 120 secs
Reg. max duration: 360 secs
Reg. default duration: 120 secs
Outbound reg. timeout: 20 secs
Outbound reg. attempts: 0
Notify ringing state: Yes
Include CID: No
Notify hold state: Yes
SIP Transfer mode: open
Max Call Bitrate: 384 kbps
Auto-Framing: No
Outb. proxy:
Session Timers: Accept
Session Refresher: uas
Session Expires: 1800 secs
Session Min-SE: 90 secs
Timer T1: 500
Timer T1 minimum: 100
Timer B: 32000
No premature media: Yes

Default Settings:

Allowed transports: UDP
Outbound transport: UDP
Context: from-sip-external
Nat: Always
DTMF: rfc2833
Qualify: 2000
Use ClientCode: No
Progress inband: Never
MOH Interpret: default
MOH Suggest:
Voice Mail Extension: *97
Forward Detected Loops: Yes

Setting the DMZ is a huge security issue. You should forward as few ports as possible.

Also run a good firewall such as APF with the Brute Force Detection Module Installed (look at for example scripts).

Your setup should work fine.

Post your Asterisk NAT setup.

Have you tested with other distant end routers?

SkykingOH, VPN is good if you have fixed sites, but for several scattered sites, it would be very difficult.

kenn10, please let me know if someone tried OpenSBC to solve this specific problem.

First, why would the VPN be complicated? DD-WRT routers with VPN clients are now under $50.00

and super easy to setup.

You did not describe the network well. The Asterisk system is behind NAT, can you forward ports? If you setup Asterisk NAT options, forward UDP 5060 and whatever range is defined in /etc/asterisk/rtp.conf you should be able to make this work.

Yes, all ports forwarded to Asterisk, I also set the DMZ to the Asterisk PBX.

The problem with devices (IP phones & softphones) behind another NAT.

Please see the below my network diagram:

This is not a simple issue. You would have to use OpenSER and Mediaproxy and still would probably not get the desired results.

To my knowledge nobody has an Open Source Session Border Controller.

Why don’t you just build a VPN between the two sites? Much simpler solution.

There is an open session border controller package out there but not sure how much it can help.