Looking for some opinions on security concerns with a Dynamic IP handoff from a service provider that sends both internet and SIP traffic down the same physical circuit. The provider separates the SIP and Internet traffic with separate DLCI's going into there MPLS cloud via frame relay. SIP traffic is routed to a private ip address in the provider cloud that is specific to my individual setup and they route the public ip's to the public address attached to my internet dlci. On my end I have a 2811 with Advanced ip services and CUBE. The public addresses will be handed off via my second ethernet interface on the 2811 and will plug into the outside interface of an ASA and will act as the clients secondary internet connection. The primary ethernet interface is connected directly to the LAN. Both the SIP DLCI and internet dlci have pubic assigned ip addresses going upstream into the cloud. However there seems to be some level of security in the MPLS environment by default because I can't access my SIP DLCI from the internet (I don't have the internet DLCI running yet). I'm being cautious because my router has one leg on the net and one on the LAN and voice traffic is flowing in and out via SIP through the CUBE. While I'm very familiar with voice and routing/security I'm not so much with SIP trunks and CUBE so I guess I don't know what I don't know and am looking for suggestions on making sure this is locked down properly. I do know the sip-ua is set up to hide the internal ip address. I've attached a visio that shows the logical setup minus ip addresses. Here's quick breakdown of interfaces.
Inside F0/1= 10.150.X.2 (Voice LAN)
Outside F0/0= 209.X.X.1 (Internet gateway for outside of ASA).
S0/0.500= DLCI 500 for internet 74.X.X.X/30
S0/0.501= DLCI 501 for SIP upstream 73.X.X.X/30
Upstream Provider SIP server= 192.168.X.X
Any help would be appreciated