Hi!
Flowroute has the same "problem"..
Traffic to port the usual SIP ports (ie 5060/5061) comes from known servers but the traffic to the RTP ports comes from servers which IP are not known...
What I did was put an ACL on port 5060/5061 and not put any any ACL on the RTP ports, traffic from everywhere to the RTP ports is allowed...
AFAIK, only the 5060 is usually probed by people who want to abuse of your PBX and while you are permitting access to a lot of ports without any ACL only a very small portion of them are opened at the same time...
Good luck and have a nice day!
Nick