In the ICND2 book, it mentions the use of Reflexive ACLs to permit each TCP / UDP session on an individual basis. The example given lists a similar scenario:
Workstation (a.a.a.a:5000) > Router > Internet > Web Server (b.b.b.b:80)
The Reflexive ACLs logic is to control the individual session between the Workstation and the Web Server by restricting sent / received traffic between a.a.a.a:5000 and b.b.b.b:80, as to prevent c.c.c.c:80 from passing traffic through the Router.
My question is why did the book phrase this example as "Classic Case in which traditional ACLs create a security hole...", when a PAT session would restrict the protocol, inside global, inside local, outside local, and outside global IP header information? Traffic sent from the Attacker should never get beyond Routers outside interface with PAT. As I upload this post, an outside host should not be able to source his port to 80, and flood my network.
Is the book assuming the Router is not using PAT, is there a reason for the over-redundancy, or am I missing something?
Thanks for your input