1) hping and nmap are your friends. But before using them, you need to acquire introductory TCP/IP knowledge. Fragmented packets, source address spoofing, dns queries, decoy hosts, crafted SYN+ACK packets, etc. you can implement these testing parameters via both nmap and hping.
You can use nmap's --reason parameter to see why your packet dropped or rejected. tcpdump is also good for this but if you want to interpret the results then you really need to understand the basics.
2) I recommend you reading Ftester's documentation from here.
3) This may also be useful to you if you want to enumerate IP hops.
4) If you want to check your CISCO firewall's rules automagically then flint is your cure, my friend.