diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh
index 2def133e108..494361057a2 100755
--- a/patches/systemvm/debian/config/root/firewall.sh
+++ b/patches/systemvm/debian/config/root/firewall.sh
@@ -91,8 +91,6 @@ add_one_to_one_nat_entry() {
   if [ "$op" == "-A" ]
   then
     iptables -P FORWARD DROP
-  else
-    iptables -P FORWARD ACCEPT
   fi
   iptables $op FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables $op FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index af6470c4100..d370f975d08 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2245,9 +2245,15 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, VirtualM
 						{
 							if((publicIp.getAccountId().longValue() == vm.getAccountId()))
 							{
-								_networkMgr.deletePortForwardingRule(rule.getId(),true);//delete the rule with the sys user's credentials
-								if(s_logger.isDebugEnabled())
-									s_logger.debug("Rule "+rule.getId()+" for vm:"+vm.getHostName()+" is deleted successfully during expunge operation");
+								if(publicIp.isOneToOneNat()){
+									_networkMgr.deleteIpForwardingRule(rule.getId());
+									if(s_logger.isDebugEnabled())
+										s_logger.debug("Rule "+rule.getId()+" for vm:"+vm.getHostName()+" is deleted successfully during expunge operation");									
+								}else{
+									_networkMgr.deletePortForwardingRule(rule.getId(),true);//delete the rule with the sys user's credentials
+									if(s_logger.isDebugEnabled())
+										s_logger.debug("Rule "+rule.getId()+" for vm:"+vm.getHostName()+" is deleted successfully during expunge operation");
+								}
 							}
 						}
 					}