asterisk users - Nov 2005 - NAT'd SIP extension, no audio

Hi folks,

I have an asterisk server behind a NAT'd gateway that is using iptables. 
Internally, I have no problems connecting to asterisk.  I would like to be able
to use a sip softphone from outside the gateway, and become an extension on my
asterisk PBX.

I have a laptop running X-Lite.  When I connect it internally, the extension
works fine.  When I got outside my gateway, to another network on the internet
(that is itself NAT'd behind a Belkin wiresless router), and I also change
the sip extension in the asterisk dialplan to have nat=yes, then I hear no
voice.  Note that I can dial, and call will be connected; for example, if I dial
into voicemail, I can enter my password and see in the asterisk logs that it
went into the voice mail app.  However I hear silence.  If I dial the extension,
it rings until it is picked up, and after that there is silence.

Here are the iptables commands in my current setup (that don't have audio):

$iptables -A FORWARD -i eth0 -p udp --dport 5060:5080 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d x.x.x.x --dport 5060:5080 -j
DNAT --to-destination 192.168.1.40:5060:5080

$iptables -A FORWARD -i eth0 -p tcp --dport 5060:5080 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d x.x.x.x --dport 5060:5080 -j
DNAT --to-destination 192.168.1.40:5060:5080

$iptables -A FORWARD -i eth0 -p udp --dport 8000:20000 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d x.x.x.x --dport 8000:20000 -j
DNAT --to-destination 192.168.1.40:8000:20000

$iptables -A FORWARD -i eth0 -p tcp --dport 8000:20000 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d x.x.x.x --dport 8000:20000 -j
DNAT --to-destination 192.168.1.40:8000:20000


192.168.1.40 is the address of my Asterisk server.  x.x.x.x is my external IP
address.  I got these commands by copying commands I have successfully used to
forward the ports used for VNC, and because I saw stuff on the internet that
said I needed to hand the RTP ports as well as SIP.  I have both UDB and TCP in
there because I some people have told me UDP only was needed and others told me
TCP was needed.

Here is the section in sip_additional.conf that defines the extension:

[908]
username=908
type=friend
secret=XXXX
record_out=Always
record_in=Always
;qualify=no
qualify=150
port=5060
nat=yes   ; for external extension only
mailbox=908@default
host=dynamic
dtmfmode=rfc2833
context=from-internal
canreinvite=no
callgroup=1
pickupgroup=1

I added these lines to sip.conf:

#added for external extensions
externip=x.x.x.x
localnet=192.168.1.0/255.255.255.0

Here is my rtp.conf:

;
; RTP Configuration
;
[general]
;
; RTP start and RTP end configure start and end addresses
;
rtpstart=10000
rtpend=20000


Why doesn't this work, and what can I do to fix it ?  Should I post the logs
of the X-Lite debug log and asterisk full log ?  If I did a tcpdump on the NAT
gateway while a call was attempted, would that help ?

--Rob

P.S.  A copy of this post is at http://pastebin.ca/28236, from when I asked this
on IRC