Как-то так:
такой zbfclass-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
match protocol icmp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_VPN_SERVER_TRAFFIC
match protocol isakmp
match class-map SDM_AH
match class-map SDM_ESP
match protocol ipsec-msft
match protocol l2tp
match class-map SDM_GRE
match access-group 104
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
match access-group 104
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all SDM_IP
match access-group name SDM_IP
class-map match-all VoipNM
match access-group 105
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any p2p
match protocol bittorrent
match protocol edonkey
match protocol gnutella
match protocol kazaa2
match protocol fasttrack
class-map type inspect match-all SDM_VPN_SERVER_PT
match class-map SDM_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map VoipNM
class VoipNM
priority 128
class class-default
fair-queue
policy-map type inspect sdm-inspect-voip-in
class type inspect CCP-Voice-permit
pass
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect p2p
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class type inspect SDM_VPN_SERVER_PT
pass
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-in-ezvpn source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
--- Внутренний, внешний интерфейсы
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$FW_INSIDE$
ip address 172.17.0.1 255.255.0.0
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy output VoipNM
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address y.y.y.y 255.255.255.240 secondary
ip address x.x.x.x 255.255.255.240
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip nat enable
no ip virtual-reassembly in
duplex full
speed auto
no cdp enable
ip nat pool NATE y.y.y.y y.y.y.y netmask 255.255.255.240
ip nat inside source route-map NAT1 interface FastEthernet0/1 overload
ip nat inside source route-map NATE pool NATE overload
ip nat inside source static 172.17.7.220 y.y.y.y extendable
ip route 0.0.0.0 0.0.0.0 [Gate_PROV]
!
ip access-list extended SDM_AH
permit ahp any any
ip access-list extended SDM_ESP
permit esp any any
ip access-list extended SDM_GRE
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=17
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.0.0 0.0.255.255
access-list 23 permit 172.17.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
access-list 103 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 103 permit ip host 172.17.7.30 any
access-list 103 permit ip host 172.17.15.30 any
access-list 103 permit ip host 172.17.7.74 any
access-list 103 permit ip host 172.17.7.93 any
access-list 103 permit ip host 172.17.0.11 any
access-list 104 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 104 permit ip host 172.17.1.1 any
access-list 104 permit ip any host y.y.y.y
access-list 104 permit ip host 172.17.7.220 any
access-list 104 permit ip any host 172.17.1.1
access-list 104 permit ip host y.y.y.y any
access-list 105 remark Shape VOIP traffic
access-list 105 permit ip host 172.16.0.201 host 172.17.0.10
access-list 105 permit ip host 172.17.0.10 host 172.16.0.201
access-list 105 permit ip host 172.16.0.201 host 172.17.8.10
access-list 105 permit ip host 172.17.8.10 host 172.16.0.201
route-map NATE permit 1
match ip address 104
!
route-map NAT1 permit 1
match ip address 103