diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
index 81937628788..688e2957b67 100755
--- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
@@ -16,7 +16,7 @@
     <pair key="%natruledn%/nat-action">
       <natpolicyNatAction
         actionType="static"
-        destTranslatedIpPool=""
+        destTranslatedIpPool="%ippoolname%"
         destTranslatedPortPool=""
         dn="%natruledn%/nat-action"
         id="0"
@@ -25,7 +25,7 @@
         isNoProxyArpEnabled="no"
         isRoundRobinIpEnabled="no"
         srcTranslatedIpPatPool=""
-        srcTranslatedIpPool="%ippoolname%"
+        srcTranslatedIpPool=""
         srcTranslatedPortPool=""
         status="created"/>
     </pair>
@@ -39,7 +39,7 @@
     </pair>
     <pair key="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
       <policyNwAttrQualifier
-        attrEp="source"
+        attrEp="destination"
         dn="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
         status="created"/>
     </pair>
@@ -59,7 +59,7 @@
         name=""
         placement="none"
         status="created"
-        value="%srcip%"/>
+        value="%ip%"/>
     </pair>
 
   </inConfigs>
@@ -70,5 +70,5 @@
     natrulename="bbb"
     descr=value
     ippoolname="ccc"
-    srcip="10.147.30.230"
+    ip="10.147.30.230"
 --!>
diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml
new file mode 100755
index 00000000000..de7305fe8db
--- /dev/null
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml
@@ -0,0 +1,64 @@
+<configConfMos
+  cookie="%cookie%"
+  inHierarchical="false">
+  <inConfigs>
+
+    <pair key="%aclruledn%">
+      <policyRule
+        descr="%descr%"
+        dn="%aclruledn%"
+        name="%aclrulename%"
+        order="300"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-action-0">
+      <fwpolicyAction
+        actionType="%actiontype%"
+        dn="%aclruledn%/rule-action-0"
+        id="0"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-2">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-2"
+        id="2"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-2/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-ip-2">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-ip-2"
+        id="2"
+        name=""
+        placement="none"
+        status="created"
+        value="%ip%"/>
+    </pair>
+
+  </inConfigs>
+</configConfMos>
+
+<!--
+    aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
+    aclrulename="dummy"
+    descr=value
+    actiontype="drop" or "permit"
+    ip="public ip at destination"
+--!>
diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml
new file mode 100755
index 00000000000..9d37552e099
--- /dev/null
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml
@@ -0,0 +1,138 @@
+<configConfMos
+  cookie="%cookie%"
+  inHierarchical="false">
+  <inConfigs>
+
+    <pair key="%aclruledn%">
+      <policyRule
+        descr="%descr%"
+        dn="%aclruledn%"
+        name="%aclrulename%"
+        order="300"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-action-0">
+      <fwpolicyAction
+        actionType="%actiontype%"
+        dn="%aclruledn%/rule-action-0"
+        id="0"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-2">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-2"
+        id="2"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-2/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2">
+      <policyProtocol
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2"
+        id="2"
+        name=""
+        placement="none"
+        status="created"
+        value="%protocolvalue%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-3">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-3"
+        id="3"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-3/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2"
+        id="2"
+        name=""
+        placement="begin"
+        status="created"
+        value="%ip%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-4">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-4"
+        id="4"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-4/nw-expr2"
+        id="2"
+        opr="range"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-port-2">
+      <policyNetworkPort
+        appType="Other"
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-port-2"
+        id="2"
+        name=""
+        placement="begin"
+        status="created"
+        value="%startport%"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-port-3">
+      <policyNetworkPort
+        appType="Other"
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-port-3"
+        id="3"
+        name=""
+        placement="end"
+        status="created"
+        value="%endport%"/>
+    </pair>
+
+  </inConfigs>
+</configConfMos>
+
+<!--
+    aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
+    aclrulename="dummy"
+    descr=value
+    actiontype="drop" or "permit"
+    protocolvalue="TCP" or "UDP"
+    ip="public ip at destination"
+    startport="start port at destination"
+    endport="end port at destination"
+--!>
diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
index 8fb38a40f68..57f12d04268 100755
--- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
@@ -5,7 +5,7 @@
 
     <pair key="%aclruledn%">
       <policyRule
-        descr=""
+        descr="%descr%"
         dn="%aclruledn%"
         name="%aclrulename%"
         order="300"
@@ -172,11 +172,12 @@
 <!--
     aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
     aclrulename="dummy"
+    descr=value
     actiontype="drop" or "permit"
     protocolvalue = "TCP" or UDP or ICMP
     sourcestartip="source start ip"
     sourceendip="source end ip"
-    startport="start port at destination"
-    endport="end port at destination"
+    deststartport="start port at destination"
+    destendport="end port at destination"
     destinationip="public ip at destination"
 --!>
diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
index 8f5300391cf..b6d2840873b 100755
--- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
@@ -16,8 +16,8 @@
     <pair key="%natruledn%/nat-action">
       <natpolicyNatAction
         actionType="static"
-        destTranslatedIpPool=""
-        destTranslatedPortPool=""
+        destTranslatedIpPool="%ippoolname%"
+        destTranslatedPortPool="%portpoolname%"
         dn="%natruledn%/nat-action"
         id="0"
         isBidirectionalEnabled="yes"
@@ -25,8 +25,8 @@
         isNoProxyArpEnabled="no"
         isRoundRobinIpEnabled="no"
         srcTranslatedIpPatPool=""
-        srcTranslatedIpPool="%ippoolname%"
-        srcTranslatedPortPool="%portpoolname%"
+        srcTranslatedIpPool=""
+        srcTranslatedPortPool=""
         status="created"/>
     </pair>
 
@@ -39,7 +39,7 @@
     </pair>
     <pair key="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
       <policyNwAttrQualifier
-        attrEp="source"
+        attrEp="destination"
         dn="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
         status="created"/>
     </pair>
@@ -59,7 +59,7 @@
         name=""
         placement="none"
         status="created"
-        value="%srcip%"/>
+        value="%ip%"/>
     </pair>
 
     <pair key="%natruledn%/rule-cond-3">
@@ -71,7 +71,7 @@
     </pair>
     <pair key="%natruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
       <policyNwAttrQualifier
-        attrEp="source"
+        attrEp="destination"
         dn="%natruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
         status="created"/>
     </pair>
@@ -92,7 +92,7 @@
         name=""
         placement="begin"
         status="created"
-        value="%srcportstart%"/>
+        value="%startport%"/>
     </pair>
     <pair key="%natruledn%/rule-cond-3/nw-expr2/nw-port-3">
       <policyNetworkPort
@@ -104,7 +104,7 @@
         name=""
         placement="end"
         status="created"
-        value="%srcportend%"/>
+        value="%endport%"/>
     </pair>
 
     <pair key="%natruledn%/rule-cond-4">
@@ -142,8 +142,8 @@
     descr=value
     ippoolname="ccc"
     portpoolname="ddd"
-    srcip="10.147.30.230"
-    srcportstart="22"
-    srcportend="22"
+    ip="10.147.30.230"
+    startport="22"
+    endport="22"
     protocolvalue="TCP"
 --!>
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
index 20bfa155f69..c5961d22ea4 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
@@ -76,7 +76,12 @@ public interface CiscoVnmcConnection {
 
     public boolean createTenantVDCDNatRule(String tenantName,
             String identifier, String policyIdentifier,
-            String sourceIp)
+            String publicIp)
+            throws ExecutionException;
+
+    public boolean createTenantVDCIngressAclRuleForDNat(String tenantName,
+            String identifier, String policyIdentifier,
+            String publicIp)
             throws ExecutionException;
 
     public boolean createTenantVDCDNatPolicy(String tenantName, String identifier)
@@ -97,8 +102,14 @@ public interface CiscoVnmcConnection {
 
     public boolean createTenantVDCPFRule(String tenantName,
             String identifier, String policyIdentifier,
-            String protocol, String sourceIp,
-            String startSourcePort, String endSourcePort)
+            String protocol, String publicIp,
+            String startPort, String endPort)
+            throws ExecutionException;
+
+    public boolean createTenantVDCIngressAclRuleForPF(String tenantName,
+            String identifier, String policyIdentifier,
+            String protocol, String publicIp,
+            String startPort, String endPort)
             throws ExecutionException;
 
     public boolean createTenantVDCPFPolicy(String tenantName, String identifier)
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
index b967aa2fba5..eac3e672136 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
@@ -77,7 +77,9 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
         CREATE_IP_POOL("create-ip-pool.xml", "policy-mgr"),
 
         CREATE_PF_RULE("create-pf-rule.xml", "policy-mgr"),
+        CREATE_INGRESS_ACL_RULE_FOR_PF("create-ingress-acl-rule-for-pf.xml", "policy-mgr"),
         CREATE_DNAT_RULE("create-dnat-rule.xml", "policy-mgr"),
+        CREATE_INGRESS_ACL_RULE_FOR_DNAT("create-ingress-acl-rule-for-dnat.xml", "policy-mgr"),
         CREATE_SOURCE_NAT_RULE("create-source-nat-rule.xml", "policy-mgr"),
 
         CREATE_ACL_POLICY_SET("create-acl-policy-set.xml", "policy-mgr"),
@@ -662,9 +664,9 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
         String xml = VnmcXml.CREATE_INGRESS_ACL_RULE.getXml();
         String service = VnmcXml.CREATE_INGRESS_ACL_RULE.getService();
         xml = replaceXmlValue(xml, "cookie", _cookie);
-        //xml = replaceXmlValue(xml, "descr", "Ingress ACL policy for Tenant VDC" + tenantName);
         xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
         xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "Ingress ACL policy for Tenant VDC" + tenantName);
         xml = replaceXmlValue(xml, "actiontype", "permit");
         xml = replaceXmlValue(xml, "protocolvalue", protocol);
         xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
@@ -838,8 +840,8 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
     @Override
     public boolean createTenantVDCPFRule(String tenantName,
             String identifier, String policyIdentifier,
-            String protocol, String sourceIp,
-            String startSourcePort, String endSourcePort) throws ExecutionException {
+            String protocol, String publicIp,
+            String startPort, String endPort) throws ExecutionException {
         String xml = VnmcXml.CREATE_PF_RULE.getXml();
         String service = VnmcXml.CREATE_PF_RULE.getService();
         xml = replaceXmlValue(xml, "cookie", _cookie);
@@ -848,15 +850,35 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
         xml = replaceXmlValue(xml, "descr", "PF rule for Tenant VDC " + tenantName);
         xml = replaceXmlValue(xml, "ippoolname", getNameForPFIpPool(tenantName, policyIdentifier + "-" + identifier));
         xml = replaceXmlValue(xml, "portpoolname", getNameForPFPortPool(tenantName, policyIdentifier + "-" + identifier));
-        xml = replaceXmlValue(xml, "srcip", sourceIp);
-        xml = replaceXmlValue(xml, "srcportstart", startSourcePort);
-        xml = replaceXmlValue(xml, "srcportend", endSourcePort);
+        xml = replaceXmlValue(xml, "ip", publicIp);
+        xml = replaceXmlValue(xml, "startport", startPort);
+        xml = replaceXmlValue(xml, "endport", endPort);
         xml = replaceXmlValue(xml, "protocolvalue", protocol);
 
         String response =  sendRequest(service, xml);
         return verifySuccess(response);
     }
 
+    @Override
+    public boolean createTenantVDCIngressAclRuleForPF(String tenantName,
+            String identifier, String policyIdentifier, String protocol,
+            String publicIp, String startPort, String endPort)
+            throws ExecutionException {
+        String xml = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_PF.getXml();
+        String service = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_PF.getService();
+        xml = replaceXmlValue(xml, "cookie", _cookie);
+        xml = replaceXmlValue(xml, "natruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
+        xml = replaceXmlValue(xml, "natrulename", getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "ACL rule for Tenant VDC " + tenantName);
+        xml = replaceXmlValue(xml, "protocolvalue", protocol);
+        xml = replaceXmlValue(xml, "ip", publicIp);
+        xml = replaceXmlValue(xml, "startport", startPort);
+        xml = replaceXmlValue(xml, "endport", endPort);
+
+        String response =  sendRequest(service, xml);
+        return verifySuccess(response);
+    }
+
     @Override
     public boolean createTenantVDCPFPolicyRef(String tenantName, String identifier) throws ExecutionException {
         return createTenantVDCNatPolicyRef(
@@ -919,7 +941,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
 
     @Override
     public boolean createTenantVDCDNatRule(String tenantName,
-            String identifier, String policyIdentifier, String sourceIp)
+            String identifier, String policyIdentifier, String publicIp)
             throws ExecutionException {
         String xml = VnmcXml.CREATE_DNAT_RULE.getXml();
         String service = VnmcXml.CREATE_DNAT_RULE.getService();
@@ -928,7 +950,23 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
         xml = replaceXmlValue(xml, "natrulename", getNameForDNatRule(tenantName, identifier));
         xml = replaceXmlValue(xml, "descr", "DNAT rule for Tenant VDC " + tenantName);
         xml = replaceXmlValue(xml, "ippoolname", getNameForDNatIpPool(tenantName, policyIdentifier + "-" + identifier));
-        xml = replaceXmlValue(xml, "srcip", sourceIp);
+        xml = replaceXmlValue(xml, "ip", publicIp);
+
+        String response =  sendRequest(service, xml);
+        return verifySuccess(response);
+    }
+
+    @Override
+    public boolean createTenantVDCIngressAclRuleForDNat(String tenantName,
+            String identifier, String policyIdentifier, String publicIp)
+            throws ExecutionException {
+        String xml = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_DNAT.getXml();
+        String service = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_DNAT.getService();
+        xml = replaceXmlValue(xml, "cookie", _cookie);
+        xml = replaceXmlValue(xml, "natruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
+        xml = replaceXmlValue(xml, "natrulename", getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "ACL rule for Tenant VDC " + tenantName);
+        xml = replaceXmlValue(xml, "ip", publicIp);
 
         String response =  sendRequest(service, xml);
         return verifySuccess(response);
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
index 3ab66269a49..e49952e4456 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
@@ -347,9 +347,9 @@ public class CiscoVnmcResource implements ServerResource{
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
 
-                if (!_connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier)) {
+                /*if (!_connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier)) {
                     throw new Exception("Failed to delete ACL ingress policy in VNMC for guest network with vlan " + vlanId);
-                }
+                }*/
                 // TODO for egress
 
                 if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true)) {
@@ -368,8 +368,12 @@ public class CiscoVnmcResource implements ServerResource{
                         String[] result = cidr.split("\\/");
                         assert (result.length == 2) : "Something is wrong with source cidr " + cidr;
                         long size = Long.valueOf(result[1]);
-                        String externalStartIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size);
-                        String externalEndIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size);
+                        String externalStartIp = result[0];
+                        String externalEndIp = result[0];
+                        if (size < 32) {
+                            externalStartIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size);
+                            externalEndIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size);
+                        }
 
                         if (!_connection.createIngressAclRule(tenant,
                                 Long.toString(rule.getId()), policyIdentifier,
@@ -425,9 +429,9 @@ public class CiscoVnmcResource implements ServerResource{
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
 
-                if (!_connection.deleteTenantVDCDNatPolicy(tenant, policyIdentifier)) {
-                    throw new Exception("Failed to delete ACL ingress policy in VNMC for guest network with vlan " + vlanId);
-                }
+                /*if (!_connection.deleteTenantVDCDNatPolicy(tenant, policyIdentifier)) {
+                    throw new Exception("Failed to delete DNAT policy in VNMC for guest network with vlan " + vlanId);
+                }*/
 
                 if (!_connection.createTenantVDCDNatPolicy(tenant, policyIdentifier)) {
                     throw new Exception("Failed to create DNAT policy in VNMC for guest network with vlan " + vlanId);
@@ -436,9 +440,17 @@ public class CiscoVnmcResource implements ServerResource{
                     throw new Exception("Failed to associate DNAT policy with NAT policy set in VNMC for guest network with vlan " + vlanId);
                 }
 
+                if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true)) {
+                    throw new Exception("Failed to create ACL ingress policy in VNMC for guest network with vlan " + vlanId);
+                }
+                if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true)) {
+                    throw new Exception("Failed to associate ACL ingress policy with ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
+                }
+
                 for (StaticNatRuleTO rule : publicIpRulesMap.get(publicIp)) {
                     if (rule.revoked()) {
-                        //_connection.deleteDNatRule(tenant, Long.toString(rule.getId()), publicIp);
+                        //_connection.deleteDNatRule(tenant, Long.toString(rule.getId()), policyIdentifier);
+                        //_connection.deleteAclRule(tenant, Long.toString(rule.getId()), policyIdentifier);
                     } else {
                         if (!_connection.createTenantVDCDNatIpPool(tenant, policyIdentifier + "-" + rule.getId(), rule.getDstIp())) {
                             throw new Exception("Failed to create DNAT ip pool in VNMC for guest network with vlan " + vlanId);
@@ -448,6 +460,11 @@ public class CiscoVnmcResource implements ServerResource{
                                 Long.toString(rule.getId()), policyIdentifier, rule.getSrcIp())) {
                             throw new Exception("Failed to create DNAT rule in VNMC for guest network with vlan " + vlanId);
                         }
+
+                        if (!_connection.createTenantVDCIngressAclRuleForDNat(tenant,
+                                Long.toString(rule.getId()), policyIdentifier, rule.getSrcIp())) {
+                            throw new Exception("Failed to create ACL ingress rule for DNAT in VNMC for guest network with vlan " + vlanId);
+                        }
                     }
                 }
             }
@@ -495,9 +512,9 @@ public class CiscoVnmcResource implements ServerResource{
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
 
-                if (!_connection.deleteTenantVDCPFPolicy(tenant, policyIdentifier)) {
+                /*if (!_connection.deleteTenantVDCPFPolicy(tenant, policyIdentifier)) {
                     throw new Exception("Failed to delete ACL ingress policy in VNMC for guest network with vlan " + vlanId);
-                }
+                }*/
 
                 if (!_connection.createTenantVDCPFPolicy(tenant, policyIdentifier)) {
                     throw new Exception("Failed to create PF policy in VNMC for guest network with vlan " + vlanId);
@@ -506,9 +523,17 @@ public class CiscoVnmcResource implements ServerResource{
                     throw new Exception("Failed to associate PF policy with NAT policy set in VNMC for guest network with vlan " + vlanId);
                 }
 
+                if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true)) {
+                    throw new Exception("Failed to create ACL ingress policy in VNMC for guest network with vlan " + vlanId);
+                }
+                if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true)) {
+                    throw new Exception("Failed to associate ACL ingress policy with ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
+                }
+
                 for (PortForwardingRuleTO rule : publicIpRulesMap.get(publicIp)) {
                     if (rule.revoked()) {
-                        //_connection.deletePFRule(tenant, Long.toString(rule.getId()), publicIp);
+                        //_connection.deletePFRule(tenant, Long.toString(rule.getId()), policyIdentifier);
+                        //_connection.deleteAclRule(tenant, Long.toString(rule.getId()), policyIdentifier);
                     } else {
                         if (!_connection.createTenantVDCPFIpPool(tenant, policyIdentifier + "-" + rule.getId(), rule.getDstIp())) {
                             throw new Exception("Failed to create PF ip pool in VNMC for guest network with vlan " + vlanId);
@@ -525,6 +550,13 @@ public class CiscoVnmcResource implements ServerResource{
                                 Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]))) {
                             throw new Exception("Failed to create PF rule in VNMC for guest network with vlan " + vlanId);
                         }
+
+                        if (!_connection.createTenantVDCIngressAclRuleForPF(tenant,
+                                Long.toString(rule.getId()), policyIdentifier,
+                                rule.getProtocol().toUpperCase(), rule.getSrcIp(),
+                                Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]))) {
+                            throw new Exception("Failed to create ACL ingress rule for PF in VNMC for guest network with vlan " + vlanId);
+                        }
                     }
                 }
             }