The FPBX firewall can post a moderate learning curve. Think carefully about what you touch - the functionality of the firewall isn't always what you'd think it would be. Good luck!
When FPBX will be connecting to a Trunk from behind NAT, it's important to ensure correct port forwarding configuration and firewall policies to allow traffic between the two systems.
For SIP, ensure either one of (depending on your configuration) 5060/tcp/udp -OR- 5061/tcp/udp are forwarded through your firewall. I highly recommend only allowing traffic from your provider's defined signalling gateways. Be sure FPBX can talk out to the signalling gateways via the same ports, too.
For RTP, consult your providers documentation to determine the port range that needs to be open to accept new media channel connections. In my case 10,000-60,000/udp must be forwarded through the firewall to FPBX. Again, only allowing traffic to the port range from the provider's media gateways.
Ensure any internal networks that Endpoints or other devices will reside are listed in the Local Networks section under Settings → Asterisk SIP Settings → NAT Settings. If you do not configure this, Asterisk will inform SIP endpoints to utilize the External Address for RTP (amongst other services) - this can, and probably will, cause serious connectivity issues.
On the NAT side of things, refer to Local Network Endpoints.