I'm going to start soon on performing reconnaissance on a very large international network. I already know much (not all) of the Cisco network gear is "locked down" (latest IOS, tight ACL's, drop ICMP/TCP ping, etc.) and the servers are behind Cisco PIX firewalls.
I was wondering if anyone has tips on the best ways to determine if hosts are alive? I'm not very worried about stealth, since this activity is not being performed in secret. I was checking out the papers on the hping website (http://www.hping.org/papers.html) and it looks like the idle scan from a series of other addresses found on this particular netblock may be useful, in case there are rules in place to provide access through firewalls for "internal" machines. I'll try a few different Nmap options and report back on what appears most successful. Thanks! Mark
