giving public IP to CCM is not recommended design.
but if you have to provide SIP trunk in a way as you stated you need more than security for CCM.
you should use CUBE,
Hiding the IP addresses of enterprise voice endpoints (such as those belonging to IP phones, call agents, and TDM voice gateways) from external view requires more than NAT. NAT adjusts the IP addressing of IP packet headers and some of the IP addresses appearing elsewhere in a SIP packet, but there are additional SIP header fields containing IP addresses that NAT does not adjust. Therefore, you should use a back-to-back SIP user agent at the network demarcation point of the unified communications SIP trunk. The Cisco Unified Border Element can provide this agent, where the media and signaling flow through the Cisco Unified Border Element and the service provider sees only the addresses of this device.
The Cisco Unified Border Element terminates the entire SIP session and re-originates it on the other side, thereby changing IP addresses in all fields of the SIP messaging, ensuring that an endpoint outside the enterprise network never sees an internal enterprise IP address; only the IP address of the Cisco Unified Border Element is visible.
This topology hiding is important to ensure that any attacks that come from the service provider can be directed only toward the demarcation point, and the communications within the enterprise is not disrupted