VoIP Infrastructure Guide

VoIP NAT Traversal Guide

10 min read · Updated April 2026

NAT traversal is the most common source of VoIP failures. One-way audio, registration failures, and calls that connect but have no audio all trace back to NAT. This guide covers every solution from STUN to SBC.

In this guide

01Why NAT breaks VoIP 02STUN — how it works and when to use it 03TURN — when STUN is not enough 04ICE — the complete solution 05SBC — enterprise NAT traversal 06Configuring NAT in PBX platforms

1. Why NAT breaks VoIP

Network Address Translation (NAT) is designed for TCP/HTTP traffic where the server responds to the client that initiated the connection. VoIP is different — both sides send and receive audio, and the remote endpoint needs to know your real reachable address.

The problem: when a SIP endpoint behind NAT sends an INVITE, it advertises its private RFC 1918 IP address (192.168.x.x, 10.x.x.x) in two places:

Contact header: sip:1001@192.168.1.100:5060 — tells the remote where to send SIP responses
SDP c= line: c=IN IP4 192.168.1.100 — tells the remote where to send RTP audio

The remote endpoint receives these private IPs and tries to send traffic to them — but private IPs are not routable over the internet. The result: one-way audio (remote can hear you but you cannot hear them), or no audio at all.

; Example of NAT problem in SDP
; What the phone sends (private IP - unreachable)
c=IN IP4 192.168.1.100
m=audio 10000 RTP/AVP 0

; What it should say (public IP - reachable)
c=IN IP4 203.0.113.1
m=audio 10000 RTP/AVP 0

2. STUN — discovering your public IP

STUN (Session Traversal Utilities for NAT, RFC 5389) is a protocol that lets a device behind NAT discover its public IP and port by asking a STUN server on the internet.

How STUN works

Your phone sends a STUN Binding Request to the STUN server (e.g., stun.l.google.com:19302)
The STUN server sees the public IP and port your NAT assigned
The STUN server returns these in a Binding Response
Your phone uses the public IP/port in its SDP and Contact headers instead of the private IP

When STUN works: Full cone NAT, restricted cone NAT — most home and small office routers.

When STUN fails: Symmetric NAT — used by many corporate firewalls and carrier-grade NAT. With symmetric NAT, the public port assigned for a STUN query is different from the port assigned for RTP, so the STUN-discovered address does not work for media.

; Test if STUN works from your network
# Install stunclient
apt-get install stuntman-client

# Test NAT type
stunclient stun.l.google.com 19302

# Output will show:
# NAT type: Full Cone (STUN will work)
# NAT type: Symmetric (use TURN instead)

3. TURN — when STUN is not enough

TURN (Traversal Using Relays around NAT, RFC 5766) solves symmetric NAT by relaying all media through a server on the public internet. Instead of trying to punch through NAT, all RTP flows through the TURN server which both endpoints can reach.

TURN is more reliable than STUN — it works with all NAT types. The tradeoff is latency (media takes an extra hop) and cost (bandwidth through the relay server).

; coturn - open source TURN server
# Install coturn
apt-get install coturn

# /etc/turnserver.conf
listening-port=3478
tls-listening-port=5349
external-ip=YOUR_PUBLIC_IP
realm=yourdomain.com
user=voip:password
lt-cred-mech
log-file=/var/log/turnserver.log

# Start coturn
systemctl enable coturn
systemctl start coturn

4. ICE — the complete NAT traversal solution

ICE (Interactive Connectivity Establishment, RFC 8445) combines STUN and TURN into a systematic process that finds the best possible path between two endpoints. ICE is mandatory in WebRTC and used by modern SIP deployments.

ICE candidate types

Candidate Type	Source	Used when
Host	Local network interface IP	Both endpoints on same network
Server Reflexive	STUN server discovers public IP	Simple NAT, different networks
Relay	TURN server relay address	Symmetric NAT, restrictive firewalls

ICE gathers all candidate types, exchanges them with the remote endpoint via the SDP, then performs connectivity checks (STUN binding requests) to find which pairs actually work. It selects the best working pair for media.

5. SBC — enterprise NAT traversal

A Session Border Controller (SBC) is the production-grade solution for VoIP NAT traversal at scale. The SBC sits at the network boundary and:

Rewrites SDP c= lines with its own public IP
Rewrites Contact and Via headers with its public address
Anchors media — both RTP streams go through the SBC, eliminating NAT issues
Handles registration from endpoints behind NAT by maintaining binding state
Works with all NAT types including symmetric NAT

SBCs are used by carriers, enterprises, and any deployment with multiple remote endpoints or trunks. They eliminate NAT issues entirely at the cost of always relaying media (similar to TURN but at the SIP layer).

6. Configuring NAT traversal in PBX platforms

Asterisk PJSIP

; pjsip.conf transport section
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0
external_media_address=YOUR_PUBLIC_IP
external_signaling_address=YOUR_PUBLIC_IP
local_net=192.168.0.0/255.255.0.0
local_net=10.0.0.0/255.0.0.0

; Endpoint NAT settings
[myendpoint]
type=endpoint
direct_media=no     ; force media through Asterisk
ice_support=yes     ; enable ICE for WebRTC

FreeSWITCH

<!-- vars.xml -->
<X-PRE-PROCESS cmd="set" data="external_rtp_ip=YOUR_PUBLIC_IP"/>
<X-PRE-PROCESS cmd="set" data="external_sip_ip=YOUR_PUBLIC_IP"/>

<!-- Sofia profile -->
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>
<param name="local-network-acl" value="rfc1918.auto"/>

Kamailio with RTPEngine

; RTPEngine handles media NAT for Kamailio
; Install rtpengine, then in kamailio.cfg:
loadmodule "rtpengine.so"
modparam("rtpengine", "rtpengine_sock", "udp:127.0.0.1:2223")

; In request route:
rtpengine_manage("replace-origin replace-session-connection");

Frequently asked questions

Why does VoIP not work behind NAT?

VoIP breaks behind NAT because SIP endpoints advertise their private RFC 1918 IP addresses in the SDP c= line and Contact header. Remote endpoints cannot route traffic to private IPs over the internet, causing one-way audio or no audio. The fix requires NAT traversal: STUN to discover the public IP, TURN to relay media, ICE to negotiate the best path, or an SBC to anchor media at the network boundary.

What is the difference between STUN and TURN for VoIP?

STUN discovers your public IP and port by querying a server. It works with simple NAT types but fails with symmetric NAT used by many corporate firewalls. TURN relays all media through a server on the public internet, working with all NAT types including symmetric NAT. ICE uses both: it tries STUN first and falls back to TURN relay if direct connectivity fails.

How do I fix one-way audio in VoIP?

One-way audio is almost always a NAT issue. The remote endpoint is sending RTP to a private IP. Fix by configuring your PBX with its public IP: in Asterisk PJSIP set external_media_address and external_signaling_address in the transport. In FreeSWITCH set ext-rtp-ip and ext-sip-ip. For enterprise deployments, deploy an SBC to anchor media at the network boundary. Also disable SIP ALG on all routers.

Getting one-way audio or NAT-related call failures?

Paste your SIP trace into SIPSymposium. The analyzer detects RFC 1918 addresses in SDP, identifies Contact header NAT issues, and checks for SIP ALG interference.

Analyze my trace Create free account

Related guides