How to make Cisco 7960 phone work behind NAT?


We are running the latest version of Asterisk. All our Cisco 7960 phones are also on the latest version of SIP firmware (P003-8-12-00).

A couple of our employees will start working from home. We need to reconfigure their phones such that they can continue to use them from their home. These employees are also running NAT/firewall at their home.

I have gone through various articles and here is what I understand.

  1. On company firewall, open up TCP/UDP port 5060 forward it to the Asterisk box.

  2. On the phone, change SIP parameters on the phone to enable NAT.

nat_enable: 1
proxy1_address: Company’s external IP address.

  1. On the employee’s router (Linksys or DLink), define a port range trigger to forward UDP range 16384 - 32766 to the IP address of the SIP phone.

  2. On the Asterisk box, change sip.conf to enable NAT for the specific user(s).

However, I am not clear on certain things:

Q1. Does the latest version of Cisco SIP firmware support STUN?

I am hoping Cisco phone automatically finds out the WAN address. It would be painful for the employees to edit the setting each time their WAN IP changes.

Q2. TFTP Server

Is TFTP server a must for Cisco phone to work? Ideally, we would not want to expose our TFTP server over the Internet. Plus, SIPDefault.cnf contains password for the phone. Why would anyone expose the TFTP server?

Q3. RTP port range

The default RTP port range for media is 16384 - 32766. Do we really need to make it this wide?

Q4. Did I miss anything in my initial planning?

Thank you in advance for your help.


PeterTaps - I’d like to follow this thread. I’m a Asterisk new-bee building a test box at home. Thanks

I too have home users … and am wondering about these topics…