This is probably obvious to most people who really know NAT and SIP but for others who are stumbling around just trying to make things work, here's my story.
I have a bunch of Sipura SPA-2000 (dual FXS) devices. I've been giving them to friends in order to see what good we can make of them. Until now I had not tried making a call to one of the devices behind NAT.
I started testing calls to a NAT device at home from a server out on the 'net. The SPA device was registered and configured with "nat=yes" but calls were failing with 404 errors. At first I thought it was just that I needed to call some special extension in the SPA.
A little network traffic sniffing showed that even though I'd told Asterisk that the device is behind NAT, it was trying to send calls to port 5060 on the public IP address. That was reaching my home Asterisk server which generated the 404.
So...more reading...I found this paper on SIP and NAT.
--kyler