NAT configuration for EIP (Elastic IP) in Asterisk

When running Asterisk on Amazon EC2 with an EIP, what are the NAT configurations for Asterisk? [general] nat=yes externip=xxx.yyy.zzz.vvv localnet=192.168.0.0/255.255.0.0 ; RFC 1918 addresses localnet=10.0.0.0/255.0.0.0 ; Also RFC1918 localnet=172.16.0.0/12 ; Another RFC1918 with CIDR notation localnet=169.254.0.0/255.255.0.0 ; Zero conf local network Apparently, EIC uses NAT : > If your EC2 instance is in a private subnet in your VPC, then it can > use your NAT to make outbound connections. The outside world would see > it's IP address as your NAT's IP address, but the NAT's IP address > would never "be" the Public IP address of the instance. Overview of how EIP works : > Before going into an example, let's review how the Elastic IPs work: ... > Remember that each instance has an internal IP address and an > external (public) one, which is translated to the internal one. If two > external IPs were translated to the same internal IP then inbound > packets would arrive fine, but sorting out outgoing packets (i.e. > determining which external IP address to assign to outgoing packets) > would be very difficult. Hence, the limitation of a single external IP > address per instance at any given point in time. wikipedia (for my reference): > Elastic IP addresses Amazon Elastic IP > > Amazon's elastic IP address feature is similar to static IP address in > traditional data centers, with one key difference. A user can > programmatically map an elastic IP address to any virtual machine > instance without a network administrator's help and without having to > wait for DNS to propagate the binding. In this sense an Elastic IP > Address belongs to the account and not to a virtual machine instance. > It exists until it is explicitly removed, and remains associated with > the account even while it is associated with no instance. > > Getting down to nuts and bolts, in the context of SIP and Asterisk : > > 1.3. Different types of NATs and firewalls. > > There are several ways UDP might be handled by a specific NAT or > firewall implementations, these are categorized into: > > 1.3.1 Full Cone NAT > > A full cone NAT is one where all requests from the same internal IP > address and port are mapped to the same external IP address and port. > Furthermore, any external host can send a packet to the internal host, > by sending a packet to the mapped external address. > > > > 1.3.2 Restricted Cone: > > A restricted cone NAT is one where all requests from the same internal > IP address and port are mapped to the same external IP address and > port. Unlike a full cone NAT, an external host (with IP address X) can > send a packet to the internal host only if the internal host had > previously sent a packet to IP address X. > > > > 1.3.3 Port Restricted Cone: > > A port restricted cone NAT is like a restricted cone NAT, but the > restriction includes port numbers. > > Specifically, an external host can send a packet, with source IP > address X and source port P, to the internal host only if the internal > host had previously sent a packet to IP address X and port P. > > > > 1.3.4 Symmetric Nat: > > A symmetric NAT is one where all requests from the same internal IP > address and port, to a specific destination IP address and port, are > mapped to the same external IP address and port. If the same host > sends a packet with the same source address and port, but to a > different destination, a different mapping is used. Furthermore, only > the external host that receives a packet can send a UDP packet back to > the internal host. It sounds like EIC uses "full cone" NAT. What would be the Asterisk settings for NAT, then?