Getting endpoints behind the NAT to work properly

1- What is the best practices for getting endpoints behind NAT to work and connect to the server without issue?

I mean by end points (IP phones, Soft phones on PC and Mobile devices and even SIP gateways).

2- I wonder if Turn and Stun server is required for endpoints or the purpose for it is for asterisk behind a NAT only?

I also would like to add that the endpoints are not all on the same LAN, every end-point might be behind its own NAT.

Any ideas, recommendations would be highly appreciated.


They should not be required for Asterisk behind NAT. The vast majority of people don’t use them for endpoints behind NAT.

Use a VPN to make the problem go away.

Provide the public address information to the endpoints.

Use force_rport, symmetric_rtp, and rewrite_contact, to have Asterisk use de facto peer addresses, rather than believing what it is being told.

Use STUN to let the endpoint discover its own address.

Thank you david for the answer, I actually still in need for more details

Do I need to setup a vpn server (eg, OpenVPN), and then set asterisk to send the traffic to the vpn and from there to the end points and vice versa, or how it should work.

Also, it would be highly appreciated if you provide more simple details on how to use force_rport, symmetric_rtp, and rewrite_contact, to have Asterisk use de facto peer addresses, and how to use STUN to let the endpoint discover its own address!!!

hmmm yes I’m still in beginning of the journey with Asterisk and there are lots of things I need to do my homework to gain knowledge about them.

If you think that it will take much time for you to explain in details then maybe you would refer some resources or links to read,

Thank you in advance

Does your Asterisk server live behind NAT as well? If not, you should not really need to do much.

Configure your endpoints with the following settings in the PJSIP configuration file:

; If using pjsip_wizard.conf, prefix all lines with endpoint/
rewrite_contact = yes
force_rport = yes
rtp_symmetric = yes
direct_media = no

If you have Asterisk behind NAT as well, and needs access from the outside, the easiest and best option is to move Asterisk outside your NAT, on a public IP address. VoIP and NAT can be quite a challenge if everyone is behind NAT, but usually works flawlessly, if Asterisk has a public IP address.

1 Like

Thank you Chano, My setup is deployed on a cloud server with public fixed IP address. The endpoints are all behind NAT.

In that case, you should only have problems if the NAT implementation your endpoints are behind, is bad.

Unless you have an actual problem, I would not worry a lot about endpoints behind NAT.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.