I don’t know what else to do, really. I’ve tried everything and my system doesn’t work.

I just upgraded to 2.10 (running Asterisk 1.8). I’ll tell you how I got everything configured and maybe someone can see something.

On one side I got the Asterisk running behind a NAT. On the firewall I have a rule so that the traffic with destination some public IP address is redirected to the Asterisk server.

The set up is as follows:

I got an Asterisk at our office behind NAT and a softphone inside the same LAN. What we want is to call from the outside (a softphone at home also behind NAT) to the phone inside the Asterisk’s LAN and vice versa.

I’m using X-lite 4 on both softphones.

I would really appreciate any help…Let me know if you need extra information.

Thanks very much in advance.

Since you did not tell us the “everything” that you tried or any details on your system it is difficult to offer suggestions.

SIP/NAT/Asterisk is discussed ad nauseum on the Internet. You should find much relevant information.

Ok, when I say that I tried everything I mean that I changed several times some of the options related with NAT with no success what so ever.
I got registered at (it is a STUN and TURN server) since the problem should have to be solved that way (I read a lot, I swear) but I get no success.

I analyzed the traffic with wireshark and ok, things aren’t where they suppose to be but I cannot find the cause of the problems. It may be my client (X-lite) but i tried with others and nothing.

Some people at Asterisk Forums told me that the set up that I’m trying to build is not as simple as it could seem, but I bet that lot of people has this running. I mean, it has to be very common wanting to communicate the way I want since almost every user is behind NAT.

You mentioned you “just upgraded to 2.10 (running Asterisk 1.8)”

What did you upgrade from? was everything working they way you wanted it to? Exactly what is your end goal?

You need to provide DETAILS

Asterisk sip settings NAT=yes
Exttions Nat=Yes

External IP should be set in asterisk as well as local networks.

I sometimes helps (depending on your firewalls) if your two lans are on different subnets.

You should have UTP 5060-5061 and 10000-20000 pointed to your asterisk server

run asterisk -r and then sip show peers

are the phones registering? Do you have any sip trunks? do they work?

I would stay away from a double NAT setup. It requires firewall work on both sides depending upon what type of NAT your router does. By virtue of the fact that you are posting this question, you are not equipped to handle the many nuiances of this setup. The following setup will most likely let you connect to your asterisk box without any firewall configuration on the remote client side.

What I recommend is to multi-home your asterisk box. That is install 2 NIC cards (or one NIC and 2 VLAN’s - advanced)

Setup one NIC on your public IP address. Make this your “externip” in your sip.conf file.

Use Webmin and configure the firewall so that only needed traffic can enter through this interface.

USE STRONG PASSWORDS FOR ALL DEVICES that register from the outside.

For internal phones use deny followed by permit ex(

Make sure that Fail2ban is running on the service ports that you have open on your firewall. Test fail2ban and make sure that you get banned.

Thanks both to reply. Your suggestions have opened a new path to follow. I think I was stuck and because the long time spending trying to solve it I wasn’t able to see any further or desperated.

In response to your post tadpole I want to make sure of a cpuple of things. It’d be great hearing from you about this as you showed having the knowledge needed to get hands dirty. What I would like to know is if my approach is correct.

The problem with NAT is the varios types of NAT out there (full cone, restricted, port restricted and symmetric). No prob with full cone and restricted. The problems arises with restricted port NATs and symmetric NATs, right? Ok…in order to traverse this NATs ICE is needed (STUN would be needed for any NAT right?).

So, when I set up the Asterisk with all nat=yes (at server and the extensions) and on the client I enable the ICE option entering a TURN/STUN server direction, the whole thing should work…I mean, I don’t understand where is the problem…why something is messing things up and not behavioring as it should.

I just say this to clear my ideas and try to understand why this approach is not working? Why do you think this doesn’t work? The client, the ICE server…¿?

Thanks so much for your attention!!