As an experiment, I configured Asterisk for full NAT traversal so that my SIP server could be accessed from the Internet. This isn’t usually what you want, but here’s how you do it…
DANGER - Doing this will expose your Asterisk SIP server directly to the Internet, and you’ll get all manner of violated by SIP spammers. Be aware of what you’re doing and what the implications are.
I’m assuming that you have a typical home NAT setup, where you have a dynamic IP, you’re in control of the border firewall (so you can do port forwarding), and your Asterisk install is on an internal network.
Step 1- Port Forwarding
First up, on your firewall, port forward the following ports to your Asterisk box;
5060/udp # SIP control channel 10000:11000/udp # the ports we will use for RTP
Step 2 - RTP Port Ranges
Right. Now, create an rtp.conf in your Asterisk config, containing the following;
[general] rtpstart=10000 rtpend=11000
This constrains the list of allowed RTP ports for SIP to use for communications.
Step 3 - Lockdown
Now, a word on security. Put the following into the [general] section of your sip.conf;
context=incoming-public allowguest=no alwaysauthreject=yes
Now in your extensions.conf, define that context and put nothing in it. Anyone who dials in anonymously to your SIP server will be directed to that context and go nowhere. This is what you want (presumably). For the love of God, do not put anything outbound in that context!
Step 4 - Configure NAT Traversal
In your sip.conf, in the [general] section (it must be there), add the following;
This causes the Contact headers of outbound SIP packets to be substituted with the IP address of the DNS name you specified there, if the destination is not in the localnet field. This is important to make NAT traversal work.
Step 5 - Configure SIP peers
For each of your peers, configure them to use NAT traversal as follows (some of these options may not be strictly required, but this is what I did and it worked);
nat=force_rport qualify=yes canreinvite=no directmedia=no
Step 6 - Wait for the bots
Now, if this has all worked, you should now be able to connect to your SIP server from the Internet.
May God have mercy on your server.