This is probably obvious to most people who really know NAT and SIP but for others who are stumbling around just trying to make things work, here's my story.
I have a bunch of Sipura SPA-2000 (dual FXS) devices. I've been giving them to friends in order to see what good we can make of them. Until now I had not tried making a call to one of the devices behind NAT.
I started testing calls to a NAT device at home from a server out on the 'net. The SPA device was registered and configured with "nat=yes" but calls were failing with 404 errors. At first I thought it was just that I needed to call some special extension in the SPA.
A little network traffic sniffing showed that even though I'd told Asterisk that the device is behind NAT, it was trying to send calls to port 5060 on the public IP address. That was reaching my home Asterisk server which generated the 404.
So...more reading...I found this paper on SIP and NAT.it I noticed The proxy needs to return SIP packets on the same port it received them to the IP:port that the packets were sent from (not to any standard SIP port, e.g. 5060). SIP has tags that tell the proxy to do this -- the "received" tag tells the proxy to return a packet to a specific IP and the "rport" tag  keeps the port to return to. Ah ha! I recalled "rport" in the NAT part of the SPA's SIP page. I experimented and found that all I needed to do was switch "Insert VIA rport" to "On" to make it work.