I have discovered that there seems to be some confusion as to whether port forwarding TCP/UDP 5060 and UDP 10000/20000 is necessary for asterisk servers behind NAT. The following link seems to indicate that it is not necessary:
Routers that try to be clever with SIP tend to break things. The only way you could use Asterisk without port forwarding is if your router was trying to be clever. That is an unknown quantity.
But what’s interesting is, for me, turning SIP Application Layer Gateway on or off, turning Intrusion Prevention System on or off, turning port forwarding on or off, and any combination of the three have absolutely no effect on how calls get in or out of my system.
Also note that your firewall is probably stateful. Which means a SIP packet outbound to UDP/5060 will create a state, and leave that port open for a certain time to get the answer back from the destination.
With a stateless firewall you would see that not forwarding any port inbound to your Asterisk will break things.