I have an asterisk server behind a NAT device that has worked fine for internal (LAN) phones up until now. We now have a remote user who will be connecting in from behind their own home NAT device.
I believe the best thing for me to do is set up a STUN server as the phone (Cisco SPA504G) supports STUN servers. Everywhere I see guides for this is also includes a TURN server though. Is this needed? If I am setting up these servers they will be on the same physical server as the Asterisk server (Ubuntu).
use a vpn to conntect the remote user to you local network (this is what I recommend).
If the remote user has a static IP you can also make forward rule in your router instead.
if both solutions are not feasable you can forward port 5060 to asterisk (depending on NAT type this should be necessary). But be sure to restrict access. deny/permit/acl, contexts, rtfm,etc.
the other thig is: for communicating with the internet you have to make asterisk use your public IP. (this means you are not useing a vpn tunnel)
if you have a static IP you could use externip in sip.conf
or you could use externhost in sip.conf with dynamic DNS
or use res_stun_monitor. depending on NAt type this solution won’t work