SIP phone behind NAT and Asterisk also behind NAT Issues


I have facing great problem of sip registertaion behind NAT.
My router firewall log shows following message
2006-09-24 23:26:51 3/ICMP from to 203.99.xx.130 Dropping ICMP error message. Original UDP from to

Anybody can help me


If your Asterisk Box and your SIP phone are behind a NAT, the entry
for your sip phone in sip.conf might need nat=yes and qualify=yes.
When I started out, I had the same problem.

Also, what is the version of Asterisk ? What SIP Phone are you using ?
What model of router are you using ?

I am using Rpath PoundKey with Asterisk version 1.2.12. In sip.conf
there is a section which helps define the NAT IP address and to
set as a global SIP config for all sip devices both soft phones and
hard phones. Again, I set it for nat=yes. I also set the IP address
as the “who sees us as” the IP address assigned from my internet
provider. I have 3 soft phones, SJPhone, IDEFisk, and X-Lite. I also
have a SPA 3102 all, Including asterisk behind a WRT54G Linksys
Router. All work seamless. Also, I have not needed any comment
such as nat=??? in iax.conf. IAX for my box works like a charm !

Hope this helps!

I’ve got a similar problem that I’m trying to work through.

Asterisk -> Firewall1 -> Internet
Internet <- Firewall2 <- X-Lite_3

I control Asterisk and Firewall1, so I’m forwarding ports 10-20K.
I don’t control Firewall2. Registration of the X-Lite phone works,
calls can be connected, but the UDP packets for the conversation
get dropped by Firewall2.

Is there something I can do on the Asterisk to work around this?
Is this was the nat=yes is suppose to resolve?

net=yes will not work around if a firewall is told to drop packets. From what I have seen there are some firewalls’ whose NAT is simply crap (this includes some $1000.00 Sonicwalls). Some routers are just stupid and they drop packets because they dont know where to send them. Try using diffrent routers. I am using a basic SMC and it seems to be working great. Another possible solution is to have asterisk re-register real often so the connection is constantly there and the router will know where to send the packets to.

Firewall2 in my example is a Cisco PIX 506E.
Maybe it’s junk. I’m sure opinions vary… :wink:

Not saying its junk just saying I have seen expensive firewalls wreak havoc when it came to NAT.

We haven’t had any other problems with the 506s,
so I wasn’t going to point my finger there just yet.

I’m not a network engineer, so I don’t know how to
explain how a NAT knows what return packets pass,
but I guess I was thinking that the RTP packets from
the phone conversation didn’t include the appropriate
packet information to let the firewall know where to
send them. Owell. I’m working on a VPN solution to
access the Asterisk system instead as a workaround.

I recieved an email on this. A couple of things came to mind.
X-Lite has a system log as you are probably aware of. That system
log will tell you what type of firewall X-Lite is is signaling.
If its port resticted or a full cone NAT and so on. If you have not already,
see what type of firewall X-Lite is signaling on “Firewall2” and make sure under System Settings/ Network, the correct firewall is selected.
X-Lite, when a firewall type is selected, automatically sends
" NAT Keep Alive" signals to prevent dropped packets.

In Asterisk, 1.2.xx and to the version I am using now, 1.2.12
The sip.conf has a comment section for dealing NAT.
I have nat=yes because it affects the sip.conf driver globally.
My X-Lite recognizes a “Port Resticted Cone NAT Firewall”.
No dropped SIP packets. Also, No ports fowarded at all.
Again I am using a WRT54G Linksys Router with its’ Firewall

Another issue comes to mind is the X-Lite “Transmit Silence=yes” setting. If transmit silence is set to no, calls made with X-Lite through Asterisk are going to drop if silence is detected for so many milliseconds.
This is Asterisks’ safeguard against misinterpreted call termination.
Even if My X-Lite was not required to register with Asterisk, I would select “Transmit Silence=yes” because I do not want the X-Lite
to hang up by its’ command, I want to terminate the call myself manaully.

Hope this helps !

Should X-Lite 3.0 have this System Settings/Network feature?
I reviewed my client and the User Guide and couldn’t see that.

I am using X-Lite 2.0. When the Softphone is on your desktop, can you
click on the “Menu” ? It’s the button below the line 1,2,3,-,-,
to the right. Anyway, when you press on that button. a screen
comes up that gives you a list of point and click menus. The list
contains Recent Calls, Phone Book, User Settings, System Settings.
Advanced System Settings.

If you click System Settings, you will have another list of point and click
menus. Choose “Network” then go to “Force Firewall Type”. Double click that and choose the type of firewall X-Lite is signaling.

Again, to find out what type of firewall X-Lite is signaling, Go back to
"Advanced System Settings" and click “Diagnostics”. Then click
"Diagnostic Log" and another window will open up showing X-Lites’
activity. X-Lite will have logged the type of firewall it detects.

I am not 100% sure about X-lite 3.0. However, I doubt Counterpath,
the software company that designed X-Lite, would have removed
these settings because the softphone needs these to be set to
function in multiple environments.

Also, has a grahic tutorial to help us with the X-Lite set up.

If you find it is not included, repost and we look into another solution.

Maybe someone else reading this can chime in?
I really do not see anything in 3.0 that’s similar.

Maybe they skimmed down 3.0 and are pushing
people to purchase the retail product instead?

Go to the website and there will be a link to the X-Lite
3.0 and then the Users Manual. On page 5 it refers to a button on the top of the softphone with the “arrow down” emblem called the Menu Button.
When you click this button, a “Setting Up Accounts” window should
appear. At the top of this box there should be an index
button called “Topography”. Click this Index button and
there should be the ability to set parameters for whatever
NAT you might have. The Diagnostic Log is also detailed
on page 29 of the Users Manual.

You are right. The 3.0 is different and Improved. They have
changed the skin to the Eyebeam look but the funtionality
is still there plus some !

Hope this helps !

Yeah, I’ve seen that page. I’ll play with it some more
and see if there isn’t a combination that will work out.


I havent worked with PIX firewalls myself but have glanced through STUN a little (just incase i ever do run into a NAT issue). Maybe ya wanna check that out. From my understanding it will tag a packet for NAT communication before it gets stuck… Yeah im not being too technical at 1:30am :wink: