Shalendra,
Ideally the penetration test should fail as per the default behavior of the ASA itself.
Since outside interface is on the lowest security level, no packet should be allowed to go through unless it has been allowed in the ACL (also keeping NAT in mind).
Please check the ACL's that you have in inbound direction on the outside interface of the ASA.
In regards to the syslog's that you should be ideally seeing are :
-
Syslog message when there is no connection entry:
%ASA-6-106015: Deny TCP (no connection) from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name
-
Syslog message when the packet is denied by an ACL:
%ASA-4-106023: Deny protocol src [interface_name:source_address/source_port]
dst interface_name:dest_address/dest_port by access_group acl_ID
-
Syslog message when there is no translation rule found:
%ASA-3-305005: No translation group found for protocol src interface_name:
source_address/source_port dst interface_name:dest_address/dest_port
-
Syslog message when a packet is denied by Security Inspection:
%ASA-4-405104: H225 message received from outside_address/outside_port to
inside_address/inside_port before SETUP
-
Syslog message when there is no route information:
%ASA-6-110003: Routing failed to locate next-hop for protocol from src
interface:src IP/src port to dest interface:dest IP/dest port
Above mentioned are the most commonly seen syslog messages on a perimeter firewall when traffic is denied by the firewall.
-
Pulkit