Asterisk (Trixbox) and NAT

I’ve run into this several times. If an asterisk server is behind a firewall using NAT, you need to modify sip.conf for sip clients to work properly. Without it audio can be one-way or broken altogether.

You’ll need the external hostname of the asterisk server (e.g. asterisk.company.com) external ip of the asterisk server (e.g., and the internal network addressing (e.g. 192.168.1.x with subnet mask of

from a ssh session in terminal:

nano /etc/asterisk/sip.conf

replace contents of file with this:

; Note: If your SIP devices are behind a NAT and your Asterisk
; server isn’t, try adding “nat=1” to each peer definition to
; solve translation problems.

externhost = asterisk.company.com
externip= ; the ip address your ISP gives you
port = 5060 ; Port to bind to (SIP is 5060)
bindaddr = ; Address to bind to (all addresses on machine)
disallow=all ; Modify these to meet your codec needs

; If you need to answer unauthenticated calls, you should change this
; next line to ‘from-trunk’, rather than ‘from-sip-external’.
; You’ll know this is happening if when you call in you get a message
; saying “The number you have dialed is not in service. Please check the
; number and try again.”
context = from-sip-external ; Send unknown SIP callers to this context
callerid = Unknown

; #, in this configuration file, is NOT A COMMENT. This is exactly
; how it should be.
#include sip_nat.conf
#include sip_custom.conf
#include sip_additional.conf

[control-x to exit, Y to save the file]

amportal stop

amportal start

The last two commands will stop and start your server quickly (and rather rudely to users), so restart asterisk in whatever way makes sense.

For NAT to work for external phones, the extension will need to have nat=yes specified, and the phone will have to have it specified as well. The procedure for different types of phones varies.

