SIP Clients and Asterisk for NAT

SIP Clients and Asterisk for NAT

There are two main options when  Asterisk is behind NAT: externaddr and extern host.

The external address of the gateway (router) to the external network. “Externaddr = hostname [: port]” indicates the static address [: port] that will be used in SIP and SDP messages. The hostname (hostname) is raised every time [s] is loaded by sip.conf. If the port is not assigned, the value specified in the udpbindaddr parameter is used.

  • Externaddr =; use this address.
  • Externaddr =; use this address and port.
  • “Externhost = hostname [: port]” is the same as “externaddr” only this ‘hostname’ updated via externrefresh seconds (default is 10 seconds).
  • Externhost = 9999; external hostname, NAT
  • Externrefresh = 180; set refresh interval
  • The ‘localnet’ parameter specifies a list of network (gray) addresses, according to RFC1918, which are considered to be “internal”.
  • Localnet = /; addresses according to RFC 1918
  • Localnet = /; addresses according to RFC 1918
  • Localnet = / 24; addresses according to RFC1918 with CIDR designation
  • Localnet = /; zeroconf local network according to RFC 3927
  • Processing of RTP media streams.

In case that you use an external VoIP provider and your IP PBX Asterisk is behind a NAT device, you need to use the directmedia = no option:

  • Directmedia = yes; directs traffic along the optimal path, allowing re-INVITE
  • Directmedia = no; prohibits traffic redirection, in this case all RTP streams pass through Asterisk
  • Directmedia = nonat; allows redirection of traffic only when the sender is not behind it.
  • Directmedia = update; uses UPDATE to redirect traffic, instead of re-INVITE
  • Directmedia = outgoing; the ability to send only directmedia reinvites to the outgoing call shoulder (used to mitigate the re-INVITE scenario of potential ‘highlights’)
  • Directmedia = nonat, update; works the same as directmedia = yes
  • Directrtpsetup = yes; sets direct calls without re-INVITE, will not work for video, and if the recipient sends RTP information and fmtp headers as 200 OK, which do not match the sent INVITE, will also not work if the devices are behind it.
  • Directmediadeny = / 0; specifies access ACL by directmedia
  • Directmediapermit = / 16; Indicates the allowed subnet
  • Directmediaacl = acl_example; uses this ACL from acl.conf
  • Ignoresdpversion = yes; asterisk will take into account the version number in the SDP packages, and will modify the SDP session if the version number changes. Causes Asterisk, ignore the version number of the SDP session, and process all SDP data as new. This option allows you to interact with devices that have a non-standard implementation of SDP (observed in Microsoft OCS), by default it is off.

It’s worth mentioning that if your VoIP provider uses an RTP media server with an IP address other than a SIP server, and Asterisk itself is behind NAT, the directmedia = no option may not work for you.

Asterisk will always use symmetric RTP mode, as defined in RFC 4961, which means that Asterisk will always send packets from the same port, and that it has received it. The default value is directmedia = yes, so if you have endpoints behind NAT, you must set the directmedia = no option.

The IP address used for RTP (audio, video and text) in SDP can be reassigned by the media_address parameter. This parameter can only be used in the [general] section.

  • Media_address =
  • ICE / STUN / TURN use can be enabled globally or for a particular feast, using the icesupport option, by default this option is disabled.
  • Icesupport = yes

You can set the range of RTP ports used in rtp.conf:

  • Rtpstart = 10000
  • Rtpend = 10100

Try these configurations at your devices and contact us for help!

You Might Also Like