Hi,
the STUN's procolls aim is to discover behind which kind of NAT device you are. Behind a firewall it will usually tell you that youre behind a "blocked" connection type because a "real" firewall tends to have a strict ruleset which will prevent the incoming RTP/UDP voice stream to get through it.
If you have a firewall setup the only clean solution is to install a SIP aware proxy either on the firewall or install a seperate SIP (+RTP/UDP) forwarding proxy in the DMZ.
-- Arnd