The H.323 protocol places IP numbers inside the signaling messages and establishes multiple TCP and UDP connections for a single call. You can't even be sure beforehand of the direction in which some of these connections are established. This makes it harder to get
H.323 through a NAT than other protocols.
To get through firewalls and NATs, the GNU Gatekeeper supports a lot of different traversal methods and protocols. The combination of H.460.18 and H.460.19 (usually called "H.460 NAT traversal" for short) is by far the most common NAT traversal protocol and is supported by virtually all H.323 endpoints today.
The best approach is to place a GNU Gatekeeper on a public IP address in front of your firewall and enable H.460.18 NAT traversal. You don't have to open any inbound port - just allow outgoing connections in your firewall, which is usually the default anyway.
If not all of your endpoints support H.460.18 or if you have a lot of internal calls, you can place a 2nd GnuGk inside your firewall and let it tunnel calls out for all internal endpoints combined. This called a "traversal zone". See Chapter 10 in the GNU Gatekeeper manual how to configure the outside GnuGk as traversal server and the GnuGk inside the firewall as traversal client.
A simple, one gatekeeper configuration for NAT traversal looks like this:
Register all your endpoints with the gatekeeper, whether they are inside or outside the firewall, and you should be able to make calls in and out.