You don’t, per se.
You limit who can talk to the port using a combination of blacklists and whitelists. You then port forward “all traffic” on that port to the PBX. The UDP forward for 10000-20000 isn’t critical, since it’s the audio, locking it down to specific addresses is probably overkill.
If you want to (for example) limit who can talk to port 5060 to just your ITSP, you set that up with a comprehensive blacklist and whitelist your ISP.
For your “dyndns” host, I’d recommend picking a different “external” port (say, 6050 or 31415 or something else) and forward that to 5060 on the PBX. This ‘off-channel’ port won’t be scanned by the script kiddies. You can then open up DynDNS on the firewall and let the PBX manage the connections. Set up the phone at the dyndns location so that it talks to your external address and port (188.8.131.52:31415, for example) and go to town.
Of course, you can do the same thing using either a phone based VPN connection, or connecting the remote network to your phone number using a network VPN. Standard caveats apply.