How to setup Asterisk if you are behind a NAT firewall

Getting Started

If your Asterisk PBX is behind a NAT firewall, i.e. the PBX has an IP such as 192.168.0.2 then you will need to perform additional configuration to allow Asterisk to route the SIP and RTP correctly.

Basic Configuration

The NAT configuration can be found in the file /etc/asterisk/sip.conf, the relevant section that needs to be edited is reproduced below:

;----------------------------------------- NAT SUPPORT ------------------------
; The externip, externhost and localnet settings are used if you use Asterisk
; behind a NAT device to communicate with services on the outside.

;externip = 200.201.202.203     ; Address that we're going to put in outbound SIP
                                ; messages if we're behind a NAT

                                ; The externip and localnet is used
                                ; when registering and communicating with other proxies
                                ; that we're registered with
;externhost=foo.dyndns.net      ; Alternatively you can specify an
                                ; external host, and Asterisk will
                                ; perform DNS queries periodically.  Not
                                ; recommended for production
                                ; environments!  Use externip instead
;externrefresh=10               ; How often to refresh externhost if
                                ; used
                                ; You may add multiple local networks.  A reasonable
                                ; set of defaults are:

;localnet=192.168.0.0/255.255.0.0; All RFC 1918 addresses are local networks
;localnet=10.0.0.0/255.0.0.0    ; Also RFC1918
;localnet=172.16.0.0/12         ; Another RFC1918 with CIDR notation
;localnet=169.254.0.0/255.255.0.0 ;Zero conf local network

; The nat= setting is used when Asterisk is on a public IP, communicating with
; devices hidden behind a NAT device (broadband router).  If you have one-way
; audio problems, you usually have problems with your NAT configuration or your
; firewall's support of SIP+RTP ports.  You configure Asterisk choice of RTP
; ports for incoming audio in rtp.conf
;
;nat=no                         ; Global NAT settings  (Affects all peers and users)
                                ; yes = Always ignore info and assume NAT
                                ; no = Use NAT mode only according to RFC3581 (;rport)
                                ; never = Never attempt NAT mode or RFC3581 support
                                ; route = Assume NAT, don't send rport
                                ; (work around more UNIDEN bugs)

The example below assumes that your Asterisk PBX has an IP address of 192.168.1.X

externip=XX.XXX.XX.XX (This needs to be your PUBLIC WAN IP address, which can be found out either from your routers administration web page, or by visiting www.whatismyip.com)

localnet=192.168.1.0/255.255.255.0

nat=yes

Once the file has been edited, you will need to restart Asterisk, consult your distribution documentation on how to perform this, for example:

service restart asterisk

sudo /etc/init.d/asterisk restart

Advanced Configuration

A further consideration is that you should ensure that you have configured port forwarding correctly on your router due to the PBX being in a NAT environment

4569 UDP - IAX/2 , forward this port if you have purchased IAX trunking , IAX can traverse your firewall easier than SIP

5060 UDP - SIP

10000 - 20000 UDP - SIP RTP Media