How about just leaving the firewall on and having the nessus box's IP given a permit tcp any (or similar statement) so that it can test all ports from external and not compromising the firewall. You can even remove the statement when you're not scanning the network.

*edit*

I just re-read the question. I think if you're having a problem scanning a laptop with a firewall with nessus you should first try disabling ping checks on your nessus scan. This will cause the nessus to fail just about every scan related to firewalls because they will not respond to any pings and will then not be tested.