In my opinion, getting around/through firewalls is as much art as science. I don't think anyone can really say "do x, then y, and that will get you through". With nmap, try using the -f & -g flags...along with the --scanflags option to set specific TCP flags like URG, RST, FIN, etc. You might also have a look at nmap.org/docs for reference. I'd concentrate more on using nmap to thoroughly scan/understand your target, then use metasploit as your entry tool once weaknesses are found.