[PEN-TEST] NAT / Stateful Packet Inspection Questions

[Leon Rosenstein <l_rosenstein () MONTELSHOW COM>]

Hi everyone.  This is the first time I am posting to this list so please
don't flame me if the question sounds insane or is out-of-line.  If you feel
forced to flame me at least have enough respect do it in private.  I am just
curious and seeking knowledge.

I would like to set up a scenario and see what the group thinks.

I was trying to help my friend audit his network through a penetration test.
I found the firewall impenetrable (at least by me, which does not really say
that much) (insert joke about newbies here).

The network has no remote access points (it does not have a VPN or any
Dial-Up Servers).  It has only a sever, router, & firewall.

The firewall is doing both NAT and Stateful Packet Inspection (SPI from here
on in).  There are no rules with the exception of the default (anything
going out can go out but nothing can come in unless the firewall has cached
or is aware of the potential incoming connection).  If the connection comes
back in on a different port then the firewall expects (assumes) it will drop
the connection.

Is there anyway to circumvent this firewall (or any firewalls that employ
NAT and SPI as there primary defense mechanisms?)  Is there anyway to get
direct access to the server?  I have port scanned the router and found
listening ports and remote administration software but I am curious as to
how one could circumvent the firewall (if this is done through hijacking the
router I would be curious about that also).

I know very talented people in the industry read this list so any help would
be much appreciated.

Oh and please feel free to respond on list or off.

Thanks in advance

Leon