NAT Nightmare

I’ve spent many hours fighting NAT. Everyone else seems to have no problems at all, once the configurations are set up. But it just doesn’t work for me.

My FreePBX 2.9 is behind a router, so it must use NAT. I’ve set all the proper things in the “Asterisk SIP” settings for NAT including my external IP and internal network mask, and NAT info for the remote SIP devices.

And here’s the funny part. Remote SIP devices can register without problems. But when I call, e.g. 511 (the news), it works fine for exactly 6 seconds. Then Asterisk drops the call. My guess is that the “qualify” packets aren’t getting any response.

By sniffing the network I can see that Asterisk is sending SIP packets with the wrong “Contact:” entry in the header. That particular header has the internal IP instead of the external one, the “From” and “To” headers look fine. So when the remote SIP device tries to reply, it sends its replies to an internal IP which obviously never makes it to the internet or the remote Asterisk box.

The SIP register handshake evidently doesn’t use the Contact: header, so everything there goes well and the device registers OK.

I’m stumped. Anyone have any clues? I’ve tried Asterisk 11 (without FreePBX), and had the problem for a few hours but with lots of fiddling somehow it started working. But I really want FreePBX and Incredible PBX.

Current setup is FreePBX ISO installed with 2.9 and Asterisk 1.8 Cert (BROWN) and Incredible PBX3.

I’ve searched and searched and searched and evidently everyone else is feeling the joy with no similar NAT issues.


That is entirely up to your firewall to handle, and how you configure it. Some are better than others, how your firewall handles the Protocol that Initiates a Session (SIP) and ultimately maintain both the SIP Registration/Invite and the continuity of the resultant negotiated RTP session is totally out of control of SIP or Asterisk apart from the normal timeouts, which by default in Asterisk at least are reasonable. I suggest you get help from your Router/Gateway vendor specific to how they handle SIP.

In your case look not to the preservation of the SIP 5060 (by default) session but to how well your particular PNAT/firewall handles the RTP session (by default udp somewhere between 10000 and 20000) that carries the payload (audio/video whatever)

This has nothing to do with qualify packets. Dicko is right, Asterisk thinks the RTP packets are not coming back because of the IP in the contact header.

I would start by double-checking your Asterisk SIP Settings. I know that you say that you’ve set them up, but have you set them up correctly?

Also, if you are using remote devices, are those devices also behind NAT?

Have you forwarded all the relevant ports to allow the remote devices through your NAT?

Have you enabled NAT in the extension settings?

Did you follow the instructions on for setting up remote devices?

Sip settings are correct as far as I am aware. I’ve tried both NAT=Yes and NAT=route…

remote devices are behind NAT, but like I said, they register OK and when I dial 511 they hear about 6 seconds of the news.

All ports forwarded from firewall: 5060 and 10000-20000 (matches rtp.conf range)

NAT enabled in the extensions (there’s only “nat=yes” that I could find)

I followed the instructions for setting up remote devices on as well as other sites – they all had the same instructions.

Still looking into it. I have a few ideas that I’m going to try today.

Okay I’ve got Asterisk to send proper “Contact:” headers. This is very strange. After lots of fiddling, here’s some points of note:

  • The behaviour I described in the OP is the same whether NAT is on or off on the “Asterisk SIP” configuration page.

  • On that same page, if I set NAT to ON and then enter a single “Local Networks” entry that is NOT valid, the clients connect and appear to work without problems. I haven’t completed tests though – I want to configure a echo test and do some other things.

  • Regarding the previous point, if I enter the CORRECT “Local Networks” entry on that page, the problems persist.

I’m still a bit confused, but it’s almost working completely now so I’ll continue fiddling.

P.S. I forgot to add that I’m running under VirtualBox. The host is directly on the Internet. I know that the respected members here generally do not like VM hosted FreePBX setups, but this is NOT mission critical production.

Thanks for everyone’s comments so far.