asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.