Double-NAT on one end, Single-NAT on the other

My dad has a SIP phone in his house. His house network (192.168.5/24) is behind a NAT gateway like most everyone I know. The asterisk server is also behind its own NAT gateway part of network 192.168.1/24.

Plan A
I originally had his SIP phone connect to the asterisk server through a port forward on the asterisk server gateway. This worked somewhat but had issues of voice quality stuttering and so forth. I suspected Time Warner was messing with the traffic but I wasn’t sure so, I tried Plan B.

Plan B
I got my dad’s gateway to VPN connect to the NAT gateway ahead of the asterisk server. This meant all of his traffic was being sent to the asterisk server’s network (192.168.1/24) before going out to the internet. This also meant that his SIP phone which still had a 192.168.5/24 address could directly talk to the 1.whatever network where the asterisk was. In this situation, everything worked beautifully. Audio quality was superb but we had the one big drawback that all of his bandwidth was now routed though the asterisk internet connection which slowed him down and was a drain on the asterisk internet. With this in mind, I attempted Plan C…

Plan C
We disabled the VPN client of his first router and then I had my dad buy another gateway router. I had him connect the WAN port of it to the LAN side (192.168.5/24) of the first router. I then had him setup the WAN side as being a PPTP connection to the asterisk gateway so it was a VPN client. I made this new router’s lan 192.168.15/24. I then had him plug in his SIP phone into the lan side of this new router. So, his new sip phone gets a 192.168.15/24 address and is able to contact the asterisk server at since the router is a member of the 192.168.1/24 network now. Technically, he’s behind one NAT router now - the new gateway router he just bought - just like he was behind a NAT router in Plan A. In this configuration, he registers successfully. I can call him and he can hear me just fine but I can’t hear him.

This is what Asterisk shows for his SIP channel:
Name/username Host Dyn Forcerport Comedia ACL Port Status Description
510/510 D Yes Yes A 1287 OK (95 ms)

Here are the settings I understand are relevent:

FreePBX Version 12.0.51

Dad’s Sip Settings
NAT Mode = Yes - (force_rport, comedia)
Port = 5060
Can Reinvite = No
Host = Dynamic
Qualigy = Yes

Dad’s Phone Settings
NAT Traversal = "STUN or “No but Keep-Alive” (either setting has the same result)

Here are two interesting lines asterisk shows me when the call between my extension (I’m on the asterisk server side with an IP address of
0x7f7340033680 – Probation passed - setting RTP source address to
0x7f734802d1d0 – Probation passed - setting RTP source address to

Any help appreciated. Feel like I’m really close.

I fixed this exact problem for a lady in Ohio yesterday using a Time Warner Ubee Modem like this:

So this is a Modem that is actually an Application Layer Gateway (ALG) for MANY services including by default SIP (SIP ALG) - She had installed her own router behind it and was double-natted (nat behind nat) trying to connect to a remote Asterisk here in Albuquerque.

Here is what I learned from over an hour of troubleshooting and packet captures:

  1. You can’t turn off the SIP ALG - It say’s it’s off, but it still screws with the audio.
  2. You can’t turn off the RTSP ALG - It say’s it’s off, but it still screws with the audio.
  3. No matter what the settings of either of these ALG’s, audio never makes it through the second natted router to the phone - even if you set up the inside router as the DMZ host on the first router.

Here is the only way I found to make it work and I am guessing that it would work for you:

  1. On your Pop’s end, enable the SIP and RTSP ALG’s and have the Phone connect to this router and get an IP directly from it - so plugged straight in and getting the 192.168.whatever address it wants to give it.

  2. On your end, once your Pop is configured as above, experiment with turning the ALG’s on and off, but make sure that your Asterisk is on the router-native subnet - if you put another router behind it, I think it will fail.

  3. Experiment with the settings in Asterisk along with the settings for the ALG’s so:

ALG’s Off - Asterisk NAT Off
ALG’s On - Asterisk NAT Off
ALG’s Off - Asterisk NAT On
ALG’s ON - Asterisk NAT On.

Once you are successful, post the combination here so other people can see!

Thanks for the response. I’ll ask my dad what Time Warner router he is using and post back. I’m not sure if this matters since the Time Warner modem is only handling VPN packets at this point as all asterisk traffic is being done with non-routable IP addresses on either end of the VPN tunnel.

In the meantime, I’m having him change the new router to have DD-WRT on it. Perhaps DD will be a nicer NAT system to work with.

DD-WRT solved it. Works perfectly now.

Sorry to jump late into the conversation. I actually liked better your solution B with VPN with one modification. You configure VPN with split tunnel with only traffic for the asterisk server entering the VPN tunnel. It’s fairly easy to implement to be honest, just a bit of messing with the routing table.