What kind of firewalls are you using?

I really only would call myself really proficient with the PIX. But it's not that hard to do.

Rather than type out the instructions, you can look it up here.

As far as what you should be looking for...look for ip/port/ping scans coming in from the outside. Honestly, if you know what addresses you have that should be talking, and what direction they should be talking, you should identify it pretty easily.

Common ports that people will try to exploit include (but are not limited to) 21, 22, 23, 25, 80, 110, 135, 136, 137 ,138, 139, 443, and 445,. I also see traffic directed at 5190 (AIM port) and 8080 (commonly used by a bunch of stuff). Another trick they might use is sourcing their port from a diffrent service. So if you see say....an rlogin connection attempted on the smtp port, something is amiss.