If the Asterisk server is a server good enough, i run it both as a sip server and a iax server, behind a nat firewall, without a problem.
It generally also works ok with nat in both ends at the client side and the server side. But the sip clients some times give problems when they are natted so I think the best chice is a Iax client (Softtelephone = idefiks with a USB headset.)
I have tried with the Asterisk box directely connected to the internet and behind a nat firewall.
According to my opinion the clearly best choice is to place it behind a nat firewall. There are zero disadvantages if things are configured the right way, as far as I have experienced and the averall security is bether behind the nat firewall.
Asterisk@home use the portrange 10000-20000 to carry the sound, but the need for such a range will depend on the amounts of simultinually calls.
For my home server use I have reconfigured it to use only the portrange 10000-10010, that means 10 ports ant not 10000. I have tested with 4-5 simultinious inn and outgoung calls and that is more than I’m normally can use.
(Dont remember for sure but I believe that the file for configuring the nuber of chanels for the sip sound carrier is something like rtp.conf It is just to reduce the bigger portnumber 20000 to 10010 or something like that.)
Asterisk will need only one port for the sip call initiation. If this port is configured to 5060 ther is no use for one more. (But of cource you need the iax port and the sip sound carrier ports.)