Remote SIP phone and routers

I have never been able to get SIP phones to successfully register and work when behind a firewall/router.

I have a FreePBX system on an external routable IP address.

I want to have a SIP phone at another location that is behind a firewall/router with an internal IP.

What tricks do I have to do to allow this type of setup work? I always seem to have issues because the SIP messages do not get properly routed with the necessary information for the FreePBX to route return messages.

It seems like this should be something so basic to allow SIP phone to work that there simple instructions.

Most of the time the voice traffic is lost or something.

Are there any good articles or suggestions?



SIP across NAT is difficult. SIP across two NAT’s is voodoo for all intents and purposes.

The cheapest routers have VPN’s built in. Use a VPN and you will never have an issue.

I have 4 phones remote to my central system. On your router at the main site, make sure you have UDP/TCP ports 5060-5080 forwarded to your PIAF box. Also UDP ports 10000 to 20000 must be forwarded to the Asterisk box.

The remote router settings are not too important since the phones will reach out to main location. Be sure the phones have the static IP address of the remote server or the fully qualified domain name of the server. This generally requires manual setup of the phones at the remote location.

I use Tomato firmware on both routers. A variety of inexpensive routers can run this firmware. It provides intelligent QOS for better VOIP calls.

I have never been satisfied with VPN tunnels between locations.

Finally, make sure you have ports turned on in the on-board Asterisk server firewall. See this link for some insight:

There is tons of information available on how to do all this if you Google for it.

Kenn - Why have you not been satisfied with VPN’s?

To me it’s the ultimate solution, a single stream to manage the QoS of instead of random RTP streams and the ability to do broadcast traffic.

The Aastra XML scripts work perfectly for VPN users.

I have tried Cisco, both ASA and PIX based, Juniper, PfSense and Fortigate all with good luck.

What are your specific issues with a VPN?

Lastly a VPN offers the security of not having to open up SIP to the world.


There is tons of information available on how to do all this if you Google for it.

Most of it is dead wrong. Just look at your config. Forwarding TCP ports in 5060-5080 range.


Double NAT is not hard. I have my box on a private IP and regularly connect from various places also behind NAT w/o problems.

I appreaciate all of your responses.

I had found tons of articles when I googled before I posted this article.

And yes most of which don’t work, Actually I =have found none to work yet,

I will continue to try.

Kenn - If you would share your setup maybe yours would work for me?

Thanks again to everyone.


Kenn, I’m not sure why you’re opening up a range for SIP session control. All you need is UDP 5060. For the streaming portion, you don’t need the entire range of UDP 10000 - 20000. All you need is enough to satisfy the maximum number of concurrent calls. If you want 10 concurrent calls, then limit the range to 10000 - 10009.

Double, Triple, essentially the number of NATs in a row aren’t an issue, what is is wether they play nice.

Ultimately, if you want to sleep well at nights, do youself a favor and setup a VPN. There really isn’t a good reason to poke holes in your firewall if you don’t need to. =0)