thankyou for your response. below is show version and show run.

ipbase#show ver
Cisco IOS Software, C2600 Software (C2600-IPBASEK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 07-Sep-07 16:04 by prod_rel_team

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)

ipbase uptime is 3 weeks, 2 days, 23 hours, 8 minutes
System returned to ROM by power-on
System restarted at 17:09:04 GMT Fri Dec 11 2020
System image file is "flash:c2600-ipbasek9-mz.124-17.bin"

<snip>

Cisco 2651XM (MPC860P) processor (revision 4.1) with 253952K/8192K bytes of memory.
Processor board ID FCZ103872ZR
M860 processor: part number 5, mask 2
18 FastEthernet interfaces
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

ipbase#show run
Building configuration...

Current configuration : 5469 bytes
!
! Last configuration change at 23:22:10 GMT Thu Dec 17 2020
!
version 12.4
no parser cache
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ipbase
!
boot-start-marker
boot system flash c2600-ipbasek9-mz.124-17.bin
boot-end-marker
!
no logging buffered
no logging console
enable secret 5 <secret>
enable password 7 <password>

!
no aaa new-model
clock timezone GMT 0
clock summer-time CDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server 156.154.70.22
ip name-server 156.154.71.22
vpdn enable
!
!
!
!
archive
log config
hidekeys
!
!
!
!

interface FastEthernet0/0
no ip address
ip tcp adjust-mss 1350
no ip mroute-cache
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip tcp adjust-mss 1350
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1/0
!
interface FastEthernet1/1

!

interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
ip address 172.16.1.30 255.255.0.0
ip access-group 102 in
ip nat inside
!
interface Dialer1
ip address negotiated
ip access-group RESTRICT_IP in
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <hostname>
ppp chap password 7 <password>
ppp pap sent-username <username> password 7 <password>
ppp ipcp dns request accept
ppp ipcp route default
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.8.0.0 255.255.255.0 172.16.1.61
!

no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 172.16.1.200 8086 interface Dialer1 8086
ip nat inside source static udp 172.16.1.200 4500 interface Dialer1 4500
ip nat inside source static udp 172.16.1.200 500 interface Dialer1 500
ip nat inside source static tcp 172.16.1.195 8095 interface Dialer1 8095
ip nat inside source static tcp 172.16.1.190 443 interface Dialer1 443
ip nat inside source static tcp 172.16.1.180 80 interface Dialer1 80
ip nat inside source static tcp 172.16.1.52 8092 interface Dialer1 8092
ip nat inside source static tcp 172.16.1.107 8093 interface Dialer1 8093
ip nat inside source static tcp 172.16.1.57 8094 interface Dialer1 8094
ip nat inside source static tcp 172.16.1.151 90 interface Dialer1 90
ip nat inside source static tcp 172.16.1.87 8091 interface Dialer1 8091
ip nat inside source static tcp 172.16.1.73 8090 interface Dialer1 8090
ip nat inside source static tcp 172.16.1.61 34557 interface Dialer1 34557
ip nat inside source static tcp 172.16.1.61 25 interface Dialer1 25
ip nat inside source static udp 172.16.1.61 514 interface Dialer1 514
ip nat inside source static udp 172.16.1.61 161 interface Dialer1 161
ip nat inside source static udp 172.16.1.61 5060 interface Dialer1 5060
!
ip access-list extended RESTRICT_IP
permit udp host 80.229.140.247 any eq syslog
permit udp host 80.229.140.247 any eq snmp
permit udp host 198.91.92.112 any eq syslog
permit udp host 198.91.92.112 any eq snmp
permit udp host 217.14.138.127 any eq 5060
permit udp host 217.10.79.23 any eq 5060
deny udp any any eq syslog
deny udp any any eq 5060
deny udp any any eq snmp
permit ip any any
!
logging trap debugging
logging 172.16.1.61
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 10 permit 172.16.1.180
access-list 10 permit 172.16.1.13
access-list 10 permit 80.229.140.247
access-list 10 deny any
access-list 100 permit udp any eq 5060 any
access-list 102 deny ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 102 permit ip any any

access-list 103 deny ip 172.16.0.0 0.0.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community public RO 10
no cdp run
!
control-plane
!
bridge 1 protocol ieee
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password 7 <password>
login
!
ntp authenticate
ntp clock-period 17208437
ntp source Dialer1
ntp server 88.190.29.49
ntp server 129.215.160.240
ntp server 78.129.239.26
ntp server 143.210.16.201
ntp server 82.219.4.31
!
end

It has been a long time since I have worked with a 2651. So it might be possible that there is something about it or about the ipbase image that could impact the implementation. But I would think that it should be possible to create a new vlan (perhaps vlan 2), to configure the vlan interface for the vlan, to assign an IP address and mask to the vlan interface, to assign an interface to that vlan (perhaps FastEthernet1/15) and to use that as DMZ. 

thankyou rick I was also wondering about the possibility of allocating one of the switch ports to the dmz

You are welcome. I am optimistic that it should work. But wanted to qualify my answer with a degree of uncertainty since it has been so long since I have worked with that platform or version of code. If you do try to implement it please update us with the result.

the pbx LAN ip is 172.16.1.225.
yes I have a static public ip address 212.159.70.205

yes it would be ok to change the ip address. or do you mean change the subnet?

I would like to access the pbx from local users but it's not essential. I think just DMZ would be better.

yes if you happy to change the subnet : here is example :

i used last interface it is easy for you to identify DMZ setup, i used 10.10.10.X you can change what ever subnet you like - and i have added static route to allow any port- if you like you can do more granular only port with extendable option - test and advise

if you want to limit only subnet - change the subnet from /24 to lower the number.

high level config look like below - is this make sense ?

interface FastEthernet1/15

ip address 10.10.10.254 255.255.255.0

ip nat inside

!

ip nat inside source static 10.10.10.253 212.159.70.205

thankyou very much for your input. I had an error on the second line:

ipbase(config-if)#ip address 10.10.10.254 255.255.255.0

% IP addresses may not be configured on L2 links.

so it seems my only option is to configure the port itself to DMZ

interface FastEthernet1/15

no switfchport

ip address 10.10.10.254 255.255.255.0