Howto setup Asterisk/FreePBX behind NAT

This HOWTO assumes that your FreePBX system is sitting behind a NATed firewall with no direct connection to the outside world and it is NOT in the DMZ zone. If you have your system facing outside, or have used Mapped IP addresses or other techniques, then it is assumed that you have adequate knowledge to interpret these instructions and also assure that you have properly secured your installation.

The three key considerations in setting up remote extensions are:

  • Asterisk Knows what network is external vs. internal
  • All Signaling and Media ports are forwarded to Asterisk
  • The Extension/Device is setup to be NATed

In order to accomplish the above we need to apply some configuration information into FreePBX, some Asterisk configuration files and on your firewall/router.

Internal/External Network Information

You must edit or create the file sip_nat.conf typically found in your /etc/asterisk directory and make sure it is owned by asterisk. We will assume that you have an internal network of 192.168.1.0/255.255.255.0 and that you have a static IP address of 24.72.182.16. If you have a dynamic IP, see the notes that follow. In this situation, you need to create or edit the following entries in your sip_nat.conf file:

externip=24.72.182.16
localnet=192.168.1.0/255.255.255.0

This tells Asterisk what IP address range is internal vs. external so that it can rewrite the SIP headers appropriately. If you have a dynamic address instead of a static address then you need to modify the above. You will need to have a domain name for the host, let’s assume you are using dyndns.com’s free service and have chosen the name mydomain.dyndns.org. Then your sip_nat.conf file would look like the following:

externhost=mydomain.dyndns.org
externrefresh=120
localnet=192.168.1.0/255.255.255.0

Where externrefresh tells Asterisk to recheck the IP address every 120 seconds in this case. You should adjust this higher or lower based on the frequency that this changes.

Firewall/Router Configuration

The default installation of FreePBX is configured to use UDP port 5060 as the SIP signaling port and UDP ports 10001-20000 as the RTP Media ports. All these ports must be forwarded to your FreePBX System. How to do this varies widely depending on the firewall or equipment that you are using. It is commonly referred to as Port Forwarding or maybe Destination NAT (DNAT). However it is referred, if we assume in this example that your FreePBX system has an internal IP address of 192.168.1.100 then you will want:

  • UDP/5060 -> Forward to 192.168.1.100
  • UDP/10001-20000 -> Forward to 192.168.1.100

Extension Information

We will assume you are using FreePBX in Extension mode but if you are using Devices/Users the same applies on the Devices page. You need to configure the extension with NAT enabled so that Asterisk knows this device is NATed and can apply the SIP rewriting rules that you previously configured in the sip_nat.conf file. Navigate to the desired extension and scroll down to the Device Options Section.

The configuration option nat must be set to yes, and you may want to set qualify to yes as well although not necessary.

With these steps, when properly configured, your external device should be able to communicate with your Asterisk PBX server unless you have issues on the remote end where the device is located because of badly behaved Firewalls. The remote device should be configured to use your external IP address or domain name as configured above in the sip_nat.conf file.