[asterisk-users] How to configure asterisk to only accept SIP from kamailio at localhost but exchange RTP on all interfaces?

[Alex Villací­s Lasso]

I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following the setup guide at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration 
(MySQL database) so that kamailio authenticates and then forwards the registration to asterisk on localhost. The setup calls for asterisk to be configured to listen for SIP traffic on all interfaces, on a nonstandard port (I chose 5080). It also calls for 
blanking of the password for the SIP peer (in my case, a softphone), so that it will not request for authentication again. I have managed to make a call with working audio from the softphone to an extension on asterisk through kamailio.

My concern is that asterisk is left listening for SIP through all interfaces and with no SIP passwords. I want to secure the setup against directed traffic to the asterisk UDP port (5080), that bypasses the kamailio process. I tried setting 
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on localhost, but this has the side effect of also removing audio - the call appears to be successful on the softphone and on the asterisk logs, but no audio is actually heard. My theory is 
that the RTP traffic is being sent to kamailio instead of the softphone.

How can I set up asterisk so that it can send RTP anywhere but reject any SIP traffic that does not come from the kamailio process on localhost?