Not sure how your FW is setup presently, but sounds like it could be your issue. I would create a firewall policy for just these pen test systems, then apply it to them. Here is the setup as if you were looking at the Firewall Rules policy in ePO:
Firewall Rules policy
1. External USB NIC Location Aware group (within this group, configure the network criteria to be the single static IP of the External USB NIC, or range of addresses if the IP varies. Make sure you check the "Isolate this connection" box")
-> place your firewall rules for this NIC here within this group
2. Internal NIC Location Aware group (again, configure your network to be the static IP of the internal NIC, or DHCP range. Again, check the "Isolate this connection" box.)
->place your firewall rules for this NIC here within this group
Kinda simplified, but it gives you a general idea.