Each is a different problem.

If you have reason enough to be paranoid to such a degree (not that it's a bad thing to be), here's a first go at it.

I'm going to assume that you're scanning from outside your space on the odd chance that a cracker/whatever might be smart enough to hide something on your server that won't respond to hosts in it's local subnet.

I'm also assuming that you have a single router interface from your provider for all your subnets. Things can get more complex.

Make sure the ACL on the interface drops(logs) incoming packets from outside your address space (spoof).

Put a secure as possible server on you net. Say only latest SSH on non standard port. If you can arrange a static ip for your dialup.... (ha) only accept connections from the static ip.

SSH to the sekret server, add an alias to it's interface for some far out random ip, use nmap from that alias.

Try ping -b. A host that want's to communicate will have to answer an ARP.

Run Snort on the sekret server. Pay special attention to alerting on traffic to (host|port)'s that aren't on your special list. Bonus: have it page you when it finds something at 3:14 a.m.