[coldark]

Couple Points:

1) Sorry - yes again I kinda assumed that you knew that rulebase rules were dealt with sequentially - if a rule is matched then the action for that rule is taken and thats it - it DOES NOT match any further rules. Note1

2) And yes - silly me Intranet does match the "any | Ext_Ip_2 | Acc" Rule - so do as lammbo suggests and have

__intranet | ext_ip1 | any | accept
X Intranet | ext-ip2 | any | accept <===== the negated cell is made by using the intranet object in the SRC column and then R.Click selecting "NEGATE CELL"

3) Just a point on what I was mentioning earlier - all my info was designed for traffic ORIGINATING from either Intranet_Users or Internet_Users. This is called Static Destination mode. What I have created is correct imho (with the exception of point (2) above) :-) .

You only need the "reflexive" rules if traffic will be ORIGINATING from the Internal_Host - which I assumed would not be happening (this new situation being Static Source Mode).

Remember, with Firewall-1 replies are Stateful so they do not need an explicit rule to allow communication.

Note1: There is only one exception to that statement - which only arise when using user authentication ;-)