When troubleshooting NAT (Network Address Translation) issues in Asterisk via FreePBX, the goal is to ensure that SIP and RTP traffic flows correctly between internal devices and external trunks or endpoints, especially when your FreePBX server is behind a NAT firewall, which it should always be. Below is a step-by-step guide to diagnose and resolve common NAT-related problems.

---

1. Verify External IP Address and Local Networks in FreePBX

First, confirm that FreePBX is correctly identifying your public (external) IP address and internal network settings.

• Navigate to Admin > Settings > Asterisk SIP Settings / General SIP Settings
• Check the External Address. If it's blank or incorrect, manually enter your public IP address.
• If your firewall has multiple IP Addresses, be sure to pin the NAT to one only. 
• Ensure Local Networks is correctly set to include your internal LAN (e.g., 192.168.1.0/24 or 10.0.0.0/8).
• Check the RTP Port ranges, by default 10000-20000 - adjust as needed but these must match your firewall configuration. 
• RTP Checksum and Strict RTP should both be "Yes".
• RTP Timeout should be 30 seconds, RTP Hold timeout should be 300 seconds (5 minutes).

This helps Asterisk determine which traffic is internal and which needs NAT traversal as well as pinning ports to they match firewall rules. 

---

2. Check PJSIP Settings in FreePBX

Navigate to Admin > Settings > Asterisk SIP Settings / SIP Settings (chan_pjsip).

• Confirm the ports you are using, generally 5060 for TCP/UDP and 5061 for TLS. You can choose your own, but this will need to be reflected in the NAT rules setup on the firewall.
• You DO NOT need to set External IP Address here, it will use the one you set above. Set it here only if you are using different public IP's for different services. 
• IF you are using TLS, be sure there is a valid TLS Certificate installed and tlsv1_2 or tlsv1_3 is selected. It is common to set Verify Client and Verify Server to "No" to avoid any issues, but test with "Yes" once working. 

---

The Asterisk Console

To access the Asterisk Console, open an SSH session to the server and run 

asterisk -rv

This will end Asterisk command mode, where commands can be sent to, and received from the Asterisk server. 

3. Check registrations have succeeded

Type 

pjsip list registrations

and you should see a list of registrations, with a status of 'Registered' - one for each trunk. If not, this needs to be investigated UNLESS there is no registration with your trunk provider and they are sending traffic directly to an IP Address. 

4. Check PJSIP Trunks are available

Use the Asterisk CLI to identify the IP address of the trunk or endpoint causing issues.

   pjsip show contacts

You should see a list of PJSIP endpoints, including extensions and trunks. Your trunks should be 'Avail'. 

5. Enable SIP Logging for the Trunk

To debug SIP signaling issues, enable logging for the specific trunk.

   pjsip set logger host TRUNKNAME 

This will turn on SIP Logging, which will be logged to the console - use your terminal application to capture SIP Traffic. 

If you are submitting this to the GEN Helpdesk, instead use 

pjsip set logger pcap gen.pcap

6. Turn off SIP Logging for the Trunk

To turn off debugging, simply use

pjsip set logger off

IF you have been creating a pcap for GEN Support, now attach that .pcap file to the ticket. 

---

5. Enable RTP Debugging to Check for One-Way Audio

One common NAT issue is one-way audio (e.g., you hear the other party but they don’t hear you). This is often due to RTP traffic not being properly forwarded.

   rtp set debug ip 123.123.123.123

Where the ip address of your trunking provider is specified. This will output every RTP packet received as a stream. You are looking for packets in both directions for the duration of the call. Outbound packets will traverse the firewall easily, but inbound will need to use port mapping to find their way back to the server. 

To turn off RTP debug, run the command

   rtp set debug off

IF RTP packets cease, then after 30 seconds the call will terminate. This is a common firewall NAT issue. 

---

8. Common Fixes for NAT Issues

Symptom	Possible Fix
No outgoing calls	Check direct_media=no, and port forwarding.
One-way audio	Enable force rport, rewritecontact, and direct_media=no.
Registration fails	PJSip Match and Firewall Rules.
Call drops after 30 seconds	Inbound Port Mapping RTP

---

Always submit a comprehensive /var/log/asterisk/full and any pcap's to your ticket for analysis and remedy.