Sending Calls From Behind NAT

Home » Asterisk Users » Sending Calls From Behind NAT
Asterisk Users 9 Comments


It seems my service provider is requesting a complicated settings to allow me to send from behind NAT.

What they said:

“It shouldn’t matter as long as you are handling the NAT correctly your end. We do not fix NAT so if you’re sending internal addresses in your INVITEs or SDP then things will fail but if you’re handling it correctly, we shouldn’t tell the difference”.

Really, I did not understand what exactly they need. But maybe what they need is to see my public IP address without the private IP address (this what I understood if I am right).

I tried to use the following in the [general] settings in the sip.conf


But even, the calls are drop .. so what I have to do?

The following what I get when I enabled the sip debug:

<--- SIP read from UDP: --->
SIP/2.0 403 UA behind NAT not accepted here Via: SIP/2.0/UDP;branch=z9hG4bK123c8781;rportP60;received6.40.164.239
From: “asterisk” ;tag=as45d7c63b To: ;tag

9 thoughts on - Sending Calls From Behind NAT

  • Dear Bilal,

    I understood correctly that the problem is that calls drops?
    What router are you using?


  • This should be externip not externadd

    You are still sending them your local address

    Cheers Duncan

  • It looks like you need to enable the sip application layer gateway or ALG on your router. The problem is not exactly a Nat issue. The problem is most likely with the sip header keeping the private IP address, the ALG when enabled will change this to your public

  • Quite often the reverse is true. Most routers (at least those I’ve used)
    seem to have such a lousy implementation of a SIP ALG it’s often far better to just disable it and do your own NAT fixups in Asterisk (as others have indicated in previous posts).

    In fact, it’s now the first thing we advise clients to do when they report call problems or one-way audio: disable the SIP ALG in your router.

    Sadly, there are also quite a few routers out there now that have ALGs that can’t be disabled (or that make it extremely difficult to disable them).

    Kind regards,


  • I’m with Duncan, you need a public IP address, not private.

    Chris Budinick

    Network Technician RAINIER CONNECT

    —– Original Message —

  • –Boundary_(ID_oN+AThRIZtVfTlIlR67/Hg)
    Content-type: text/plain; charset=utf-8
    Content-transfer-encoding: quoted-printable

    Check reinvite and NAT settings on the line as well as the SIP peers.

    You can use a stun client from inside your network to see what’s going on with the NAT

    From: [] This should be externip not externadd

    You are still sending them your local address

    Cheers Duncan

  • I think these setting are all wrong:
    1. local network should be something like:
    2. Subnetmask cant’ be !
    3. externip=x.x.x.x (Not “externadd”)


  • Dears;

    What Jian said is the right and it worked.

    But I have the following questions:

    Why is wrong and I have to use Also, do I have to set the localnet or it is enough to set the externip?

    From the other side, I am using Asterisk and when I was searching in the sip.conf, I did not find externip (so I added by my hand) and I remember very well that before I was able to find the externip in the sip.conf, although I am finding externadd. So why this?

    One more thing, what is the difference between externadd and externip?

    Regards Bilal


  • The IP information is called “IP subnetting” which is the basic rule about IP address. It seems you are using a Class C private subnet so will never be a correct “network address”. (Depend on your subnet mask, the network address could be like something else. But the last octet 2 is obviously wrong!)

    If your Asterisk is behind a NAT router/firewall, you need: