Hi
There should not be a problem letting all the ports through, as it is only SIP listening on the other side, they cannot do anything else. Unless of course you have got one of those really cheap routers that does not allow you to put in port ranges.
However to answer your question. The NAT=Yes setting in sip.conf makes the two ends use the same port so that to the NAT device, the returning audio hits the same port that was opened by the outgoing audio.
If the Audio does comes back on a different port, as it is designed to do in SIP, then the NAT device would not know how to send the packets onto Asterisk, as they would be turning up on an unrelated port, and therefore would be dropped. Sip aware expensive firewalls can cope with this.
So the first thing to do is ensure that every extension is set to NAT = yes, or do it globally. I think this is done by default by FreePBX.
Next, we need an RTP stream available for every phone, just in case everyone does call at once. So lets assume that you have 5 phones - it does not matter to Asterisk as to whether they are internal or external.
We need to adjust the SIP ports that Asterisk is listening on. so in /etc/asterisk/rtp.conf, you will see an entry like this: -
rtpstart=10000
rtpend=20000
Change the end port to rtpend=10004 to give you 5 ports, and do an amportal restart.
So in theory, you should be able to direct the following UDP ports to the Asterisk server. 5060, 10000->10004
If you have more phones, you will need more RTP ports.
As ever no guarantees that this will not break everything.
Joe