Ports that need to be redirected with a NAT are 5060 and 16384 through 16403. All UDP. For audio, at least one machine needs to be past a firewall or the NAT stuff adjusted. I am not sure about video.
[robg adds: I was able to run iChat AV without opening any holes in my firewall, so I'm not sure when this might be required.]
Mac OS X Hints
http://hints.macworld.com/article.php?story=20030623203213301