1. make an inbound extended access-list to allow inbound connections on port 1720 tcp only from your gateway.
2. Run Radius authentication on your incoming dialpeer.
3. Put an ANI on your incoming dialpeer and let the gatekeeper send all the calls with that ANI.
4. Configure a tech prefix on the cisco gateway that is hard to guess.
Are those enough ?