Good news is you're already port forwarding... right here in your config
ip nat inside source static tcp 192.168.2.10 20 68.14.216.186 20 extendable
ip nat inside source static tcp 192.168.2.10 21 68.14.216.186 21 extendable
ip nat inside source static tcp 192.168.2.10 80 68.14.216.186 80 extendable
ip nat inside source static tcp 192.168.2.163 1433 68.14.216.186 1433 extendable
ip nat inside source static udp 192.168.2.163 1433 68.14.216.186 1433 extendable
ip nat inside source static tcp 192.168.2.10 3389 68.14.216.186 3389 extendable
ip nat inside source static tcp 192.168.2.163 3391 68.14.216.186 3391 extendable
ip nat inside source static tcp 192.168.2.168 3392 68.14.216.186 3392 extendable
ip nat inside source static tcp 192.168.2.2 8282 68.14.216.186 8282 extendable
ip nat inside source static tcp 192.168.2.168 8585 68.14.216.186 8585 extendable
ip nat inside source static tcp 192.168.2.163 8686 68.14.216.186 8686 extendable
All you'd have to do is "show ip nat translation" to see if those NATs are showing up or not
to ensure point forwarding is operating or not.
Bad news is, like aryoba said, I'm seriously wondering about your routing / NAT here, namely
ip nat inside source list 1 interface GigabitEthernet0/1 overload
<SNIP>
ip route 0.0.0.0 0.0.0.0 192.168.1.0 permanent
ip route 0.0.0.0 0.0.0.0 192.168.3.0 permanent
ip route 0.0.0.0 0.0.0.0 68.14.216.177
So Gi0/1 / 68.14.216.186 is doing NAT overload for outbound traffic... so where's Gi 0/0
fit in, or it's not supposed to take anything? Second, where is 192.168.1.0, 192.168.3.0
and 68.14.216.177 for all of this? You've just basically told it "for all traffic anywhere,
go to these two (nonexistent?) networks, THEN go out to this third (nonexistent?) IP address.
If you are new to IOS, what I'd recommend is back up the config to the text file, and start
with a bare config -- for now the DHCP config, the Gig0/1 interface, the VLAN1 interface and
the static NATs above. Once you've got that confirmed working, then go adding the rest like
the Gi0/0 interface and firewall config.
One last point, taking a look at your ZBFW config and ACLs, so incoming-policy is the policy-map,
Incoming-Traffic is the class, and NEW_Incoming defines the traffic that can enter... have you
checked if the ACL and the policy is getting any hits or not? Any log messages from the firewall?
Regards