NAT asterisk problems

The problem is that client can connect to Asterisk server, but when trying to call – there is no voice coming, so I suggest the problem with RTP NATted session. Even if I call presetuped Echo-service to check if it should work at least in client-server flow – there is anyway nothing I can hear.
Tried different directmedia and nat setting – nothing helps.
asterisk is running on a virtual machine after firewall which do nothing then translating all traffic from/to outside. Local IP- 10.0.201.60

sip.conf

[general]
realm=PBX Server
useragent=PBX Server
sdpsession=PBX Server

externaddr=79.x.x.x:5060
externhost=external.host.com

udpbindaddr=10.0.201.60:5060
tlsenable=yes
tlsbindaddr=10.0.201.60:5061
tcpenable=yes
tcpbindaddr=10.0.201.60:5060

localnet=192.168.0.0/255.255.0.0
localnet=10.0.0.0/255.0.0.0

language=en
context=default
allowoverlap=no
transport=tls,tcp,udp
srvlookup=yes
allowguest=no
alwaysauthreject=yes
limitonpeers=yes

tlscertfile=/usr/asterisk/etc/certs/asterisk.pem
tlscafile=/usr/asterisk/etc/certs/cacert.pem
tlsclientmethod=tlsv12
;tlsciphers=EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
tlscipher=ECDH:!3DES:!RC4:!ADH:!AECDH:!NULL:!eNULL
encryption=yes

[clients]
context=clients
type=friend
host=dynamic
qualify=100
;callgroup=1
;pickupgroup=1
call-limit=1
dtmfmode=auto
allow=opus,alaw,ulaw,g729,g723,g722,gsm

100
callerid=100
secret=12345678
directmedia=nonat
nat=force_rport,comedia

101
callerid=“Number 101” <101>
secret=87654321
nat = comedia

extensions.conf

[general]
static=yes
writeprotect=yes

[globals]
[default]

[clients]
;Звонок на внутренний номер
exten => _XXX,1,Playback(beep,noanswer)
exten => _XXX,n,Dial(SIP/${EXTEN})
exten => _XXX,n,HangUp()

exten => 1720,1,NoOp(Starting playback service)
exten => 1720,n,Playback(beep) ; Let them know what’s going on
exten => 1720,n,Echo ; Do the echo test
exten => 1720,n,Playback(beep) ; Let them know it’s over
exten => 1720,n,HangUp()

Is there any suggestion what could be wrong? Trying to fight this second day – still no luck.
Thanks!

You might not have port forwarding for your RTP range.

Generally it helps if you provide the SDP exchange and RTP debugging output.

some clarification - voice works fine, but not via TLS
with TLS having this issue

Could the router be creating dynamic rules for the RTP? With TLS, it will not be able to see the SDP in order to do that.

sip hepler disabled on router, so that’s just a transporent traffic redirection
is it actually possible to use rdp via nated asterisk server?