Nat Newbie - Driving me Crazy


I’m not really that new to NAT in fact know it pretty well however I’m newbie with how Asterisk and the SIP protocol handles NAT

Ill explain my architecture a little first
I have a AsteriskNow box running version
It sits behind a pfsense firewall that has NAT disabled. It simply forwards packets that meet valid rules.
On the pfsense box i have set up forwarding rules for SIP 5060 TCP/UDP as well as TCP/UDP ports 10000-10020
in front of my pfsense box is a cisco 1941 router. This is my edge device that has a static IP and handles my Nat requirements. I have set up nat rules on this box to forward sip/rtp ports to my asterisk box.

Problem, Typical issue, no audio for external x-lite clients.

X-lite clients register and can initiate a call. just no audio both ways. These are X-lite clients on iphones and i have tried using 4g data as well as wifi. Note they work fine when using wifi internally.

I have researched this to death and perhaps its just not ideal to do this but i just cant believe it. This has to be a very common requirement. Every time i find something on the net it either points me to adjust settings that simply don’t exist on my version or don’t help.

The one thing im sure of is that asterisk is not providing the correct details for the rtp connections. I can see the private IP address a lot in the x-lite logs which i suspect have some setting configured incorrectly that tells asterisk to send the correct IP info in the SIP messages.

This is a dump of show sip
MBICPBX01*CLI> sip show settings

Global Settings:

UDP Bindaddress:
TCP SIP Bindaddress: Disabled
TLS SIP Bindaddress: Disabled
Videosupport: No
Textsupport: No
Ignore SDP sess. ver.: No
AutoCreate Peer: Off
Match Auth Username: No
Allow unknown access: Yes
Allow subscriptions: Yes
Allow overlap dialing: Yes
Allow promisc. redir: No
Enable call counters: No
SIP domain support: No
Path support : No
Realm. auth: No
Our auth realm asterisk
Use domains as realms: No
Call to non-local dom.: Yes
URI user is phone no: No
Always auth rejects: Yes
Direct RTP setup: No
User Agent: FPBX-
SDP Session Name: Asterisk PBX 13.12.1
SDP Owner Name: root
Reg. context: (not set)
Regexten on Qualify: No
Trust RPID: No
Send RPID: No
Legacy userfield parse: No
Send Diversion: Yes
Caller ID: Unknown
From: Domain:
Record SIP history: Off
Auth. Failure Events: Off
T.38 support: No
T.38 EC mode: Unknown
T.38 MaxDtgrm: 4294967295
SIP realtime: Disabled
Qualify Freq : 60000 ms
Q.850 Reason header: No

Network QoS Settings:

IP ToS RTP audio: EF
IP ToS RTP video: AF41
IP ToS RTP text: CS0
802.1p CoS SIP: 4
802.1p CoS RTP audio: 5
802.1p CoS RTP video: 6
802.1p CoS RTP text: 5
Jitterbuffer enabled: No

Network Settings:

SIP address remapping: Enabled using externaddr
Externaddr: XXX.XXX.45.16:0
Externrefresh: 10

Global Signalling Settings:

Codecs: (ulaw|alaw|gsm|g726)
Relax DTMF: No
RFC2833 Compensation: No
Symmetric RTP: Yes
Compact SIP headers: No
RTP Keepalive: 0 (Disabled)
RTP Timeout: 30
RTP Hold Timeout: 300
MWI NOTIFY mime type: application/simple-message-summary
DNS SRV lookup: No
Pedantic SIP support: Yes
Reg. min duration 60 secs
Reg. max duration: 3600 secs
Reg. default duration: 120 secs
Sub. min duration 60 secs
Sub. max duration: 3600 secs
Outbound reg. timeout: 20 secs
Outbound reg. attempts: 0
Outbound reg. retry 403:0
Notify ringing state: Yes
Include CID: No
Notify hold state: Yes
SIP Transfer mode: open
Max Call Bitrate: 384 kbps
Auto-Framing: No
Outb. proxy:
Session Timers: Accept
Session Refresher: uas
Session Expires: 1800 secs
Session Min-SE: 90 secs
Timer T1: 500
Timer T1 minimum: 100
Timer B: 32000
No premature media: Yes
Max forwards: 70

Default Settings:

Allowed transports: UDP
Outbound transport: UDP
Context: from-sip-external
Record on feature: automon
Record off feature: automon
Force rport: Yes
DTMF: rfc2833
Qualify: 0
Keepalive: 0
Use ClientCode: No
Progress inband: No
Language: en_AU
Tone zone:
MOH Interpret: default
MOH Suggest:
Voice Mail Extension: *97
I’ve seen references that i need to enable Nat for the extension however i just dont see that setting in this version of AsteriskNow. I have seen screenshots of earlier versions where it is a clear yes/no option. I can only assume that it is redundant now for some reason.

This is a dump of the x-lite log

SIP/2.0 200 OK

Via: SIP/2.0/UDP;rport=55420;received=;branch=z9hG4bK-524287-1—41cb5324f3e3f44b

Contact: sip:XXX.XXX.45.16:5060

To: sip:[email protected];tag=be90b976-f030-486a-bdf5-fbb4b683093b

From: “Michael” sip:[email protected];tag=8f564c5f

Call-ID: 86895MGZkNWJmMDk1ZGYwYzY0MmU5OTk1MmMyMzhkNTM3M2Y



Content-Type: application/sdp

Server: FPBX-

Supported: 100rel, timer, replaces, norefersub

P-Asserted-Identity: “CID:0390956115” sip:[email protected]

Content-Length: 253


o=- 1119646346 3 IN IP4


c=IN IP4 XXX.XXX.45.16

t=0 0

m=audio 10004 RTP/AVP 0 8 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16




NAT is a tough nut to crack, so there’s no simple solutions. The problem is that some things implement NAT one way and some other ways. In addition, the ways you deal with NAT and the different NAT modalities make it all a little challenging to cover is short. In addition, some NAT problems solve themselves, so some things just seem opaque.

For example, for outbound calls, your server needs to know whether it needs to inform the remote end how to get traffic back. To do this, the server says “I know my address is behind a NAT, but if you want to get traffic back to me, send it here.”

To compound the problems, some parts of the protocol don’t deal with NAT well directly. Audio coming into your firewall that is a “SYN” packet (the audio for an incoming call, for example) doesn’t have the benefit of coming from the device that knows the information is coming in. This is why you redirect UDP ports 10000-20000 to your server.

Another example like this is the “incoming” calls from your ITSP. These guys need to know your routable address so that they can send calls to your PBX, but you don’t necessarily have a connection established that can direct the call immediately. In this case, you can specify a port on your firewall (10236, for example) as the “connection” port for SIP and redirect it to your PBX SIP port.

Finally, there are some devices that use something called a STUN server to announce what address to send traffic back to - many SIP phones (for example) use STUN servers to get their “external” address.

Oh, and one more wrinkle - there are at least two SIP drivers you can use. Chan-SIP and PJ-SIP both can “peacefully” coexist on your server, but have to use different ports (like any other service on your server), So, port 5060 is “the” SIP port, except that it doesn’t have to be. Configuring NAT to deal with the variability of the inbound SIP ports makes life more interesting.

Because the Cisco is handling NAT, and even though pfSense is not set up with NAT, you still have to tell asterisk to run in NAT mode in sip settings.

Thanks hammer, This is the setting I cannot find in sip settings unless my eyes are failing me. Im assuming I can do this through the asterisknow gui

Make sure you choose static IP for your setup.

a guess is that the cisco router has the sip alg turned on.

1 Like

Thanks Hammer however i thought those settings are only relevant for the SIP channel and not the PJSIP channel. Anyhow i managed to get it working. I had made a mistake on in my NAT statements that were preventing it from working. Everything good now.