These instructions are for spa303, spa504g, spa508g, spa112, spa122, spa232g as well as many other Cisco phones and devices including older Linksys like spa9xx.

There must be hundreds of articles explaining same scenario and providing step by step instructions how to configure Cisco spa5xx and spa3xx phones to work with asterisk. Setup of the extension in free or a commercial web interface like freepbx or elastics is very simple. All you need to do is enter an extension number for the phone, password and if the phone is behind NAT or not. This article is not about how to use or setup your asterisk pbx, it is about how to setup Cisco spa device to work with asterisk when it is behind firewall or NAT.

Many articles will tell you to setup your phone as follow:

NAT Mapping Enable and NAT Keep Alive Enable to yes

Put your proxy in Outbound Proxy field

Configure STUN Server and external IP address.

Well, we have found out the hard way that the above instructions do work in common environments, but in fact create issues with registration to asterisk from behind the NAT.

The asterisk by default qualifies peers/phones every 2000 ms ( 2 seconds) The reason behind it is to keep the entry in NAT router current. Let me explain. When the phone registers on asterisk from behind the NAT(Network Address Translation) using UDP protocol it creates a temporary entry in router table;  a memory allowing router to send packages back to the phone from the outside. The entry looks similar to this:

udp      17 76 src= dst=xx.xx.169.164 sport=5061 dport=5062 packets=26095 bytes=17368757 src=xx.xx.169.164 dst=xx.xx.207.25 sport=5062 dport=1026 packets=26049 bytes=16016165 [ASSURED] mark=0 use=2

udp is a protocol, we will get to it little later, is a private IP address of the phone, sport is a port that the phone is listening on for sip messages, dport is a destination port of the sip proxy,  xx.xx.169.164 is an IP address of sip proxy (asterisk server ), dst or xx.xx.207.25 is a public IP address of the nat router……. In other words the router/firewall/NAT remembers briefly to send udp packages coming from  xx.xx.169.164 on port 5062 to port 1026 to private IP listening on port 5061. As I mention entry like this is very short lived, by default UDP timeout is 120 seconds and TCP 3600 seconds. Perhaps we should use TCP, and yes this is an option now since asterisk and most of newer phones do support sip over TCP. While sip over tcp maybe a better options for some networks, and even save on bandwidth despite larger packages and requirement of confirmation UDP is still better for dhcp assigned address that are changing very frequently. Where you cable modem may keep its public IP for weeks at the time, dsl service from phone company may change it on the fly many times per day.

Enabling “NAT Mapping Enable” and “NAT Keep Alive Enable” on the phone makes the phone send “keep alive” messages to asterisk, creating a 2nd entry in NAT table that is usually very same as the first, but from time to time the dynamic port is deferent , especially after the call is finished ,  causing the phone to lose the registration on asterisk. Keep in mind that in this case port 5061 and 5062 are configured on phone and asterisk but port 1026 is dynamically assign by the router as a temporary gateway from outside to inside of the firewall from and to very specific protocol, address and port. When the call is active “keep alive” sip messages are creating 2nd entry in NAT table on the router with deferent port, while asterisk is still sending its own OPTION sip messages on the original port. Since the phones “keep alive” messages are sent every 15 seconds the phone firmware understands it as the valid one and discards asterisk responds since the port ( there is little more to it) does not match, at the same time asterisk is ignoring the messages with “wrong” port in it. At the same time router is not seeing proper responds with matching ports it activates the timer and your phone drops the registration after 120 seconds.  How can I put it? SIPv2 is a sort of standard.  🙂

I can see that this article got little more technical that I intended, but there was no other way to explain it.

Outbound proxy; unless you phone should register on one asterisk server to receive calls and make outgoing calls via other asterisk server, do not put same address in proxy and outbound proxy. It does absolutely nothing.

STUN. Well, hundreds of articles have been written about STUN and how it helps with internet telephony, even google provides stun server/service for free. We have found that while there are reasons to use STUN server in large corporate networks or in countries where Internet Service Provider does not provide public IP to a subscriber, the implementation of stun rewriting the sip messages is too extensive there for confusing for asterisk and the phone. We have seen during our testing that in order to use stun asterisk cannot have extension set to NAT to work properly. In every day home or office environment stun should not be used at all.

There is also common misconception that every phone on the private network should be set to deferent sip port. It would not hurt, but there is no need for it. The router NAT table is already distinguishing between private ip addresses; it does not need to have deferent port to route properly. In some cases, where the phone has only 1 port for rtp (the audio) like older aastra phones the configuration is necessary to assign unique rtp port to each phone behind same NAT.

Just to summarize:

Configure your Cisco spa504g: all defaults and change only following values under extension 1.

Proxy, user id and password, and let the asterisk do the rest.

Simple, right?


If your Cisco phone drops the registration enable “NAT_Keep_Alive_Enable”, disable “NAT_Mapping_Enable” and in case of multiple phones in the same location set SIP_Port deferent for each phone/extension.