diff --git a/patches/systemvm/debian/config/opt/cloud/bin/cloud-nic.sh b/patches/systemvm/debian/config/opt/cloud/bin/cloud-nic.sh
index 2701ef7d1e6..8dd623a6416 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/cloud-nic.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/cloud-nic.sh
@@ -20,7 +20,7 @@ unplug_nic() {
 
 action=$1
 dev=$2
-tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+tableNo=${dev:3}
 tableName="Table_$dev"
 
 if [ $action == 'add' ]
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_ipassoc.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_ipassoc.sh
index 5f10abe3de4..6eb83898ab1 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_ipassoc.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_ipassoc.sh
@@ -64,7 +64,7 @@ add_an_ip () {
     sudo ip link set $ethDev up
     sudo arping -c 3 -I $ethDev -A -U -s $pubIp $pubIp
   fi
-  local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}') 
+  local tableNo=${ethDev:3} 
   sudo iptables-save -t mangle | grep  "PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-mark" 2>/dev/null
   if [ $? -gt 0 ]
   then
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_portforwarding.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_portforwarding.sh
index 5eaf29489ff..f8bee33442a 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_portforwarding.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_portforwarding.sh
@@ -78,89 +78,15 @@ tcp_or_udp_nat() {
 }
 
 
-one_to_one_fw_entry() {
-  local publicIp=$1
-  local instIp=$2  
-  local proto=$3
-  local portRange=$4 
-  local op=$5
-  logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
-  instance ip=$instIp proto=$proto portRange=$portRange op=$op"
-
-  #if adding, this might be a duplicate, so delete the old one first
-  [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D" 
-  # the delete operation may have errored out but the only possible reason is 
-  # that the rules didn't exist in the first place
-
-  # shortcircuit the process if error and it is an append operation
-  # continue if it is delete
-  sudo iptables -t nat $op  PREROUTING -d $publicIp --proto $proto \
-           --destination-port $portRange -j DNAT \
-           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]
-
-  result=$?
-  logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
-  return $result
-}
-
-static_nat() {
-  local publicIp=$1
-  local instIp=$2  
-  local op=$3
-  local op2="-D"
-  local rulenum=
-  local proto="all"
-  local tableNo = ""
-  logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
-  instance ip=$instIp  op=$op"
-  
-
-  #if adding, this might be a duplicate, so delete the old one first
-  [ "$op" == "-A" ] && static_nat $publicIp $instIp  "-D" 
-  # the delete operation may have errored out but the only possible reason is 
-  # that the rules didn't exist in the first place
-  [ "$op" == "-A" ] && rulenum=1
-  [ "$op" == "-A" ] && op2="-I"
-  DEV_LIST = `ls /sys/class/net/ | grep eth`
-  for dev in $DEV_LIST; do
-    ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
-    if [ $? -eq 0 ]
-    then 
-      tableNo=$(echo $dev | awk -F'eth' '{print $2}')
-    break
-    fi
-  done
-  if [ -z "$tableNo" ]
-  then 
-    logger -t cloud "$(basename $0): failed due to cannot find eth device for public IP $publicIp"
-    return 3
-  fi
-
-  # shortcircuit the process if error and it is an append operation
-  # continue if it is delete
-  (sudo iptables -t nat $op  PREROUTING  -d $publicIp -j DNAT \
-           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  # add mark to force the package go out through the eth the public IP is on
-  (sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
-           --set-mark $tableNo &> $OUTFILE ||  [ "$op" == "-D" ]) &&
-  (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
-           --to-source $publicIp &>> $OUTFILE )
-  result=$?
-  logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
-  return $result
-}
-
-
-
 rflag=
 Pflag=
 pflag=
 lflag=
 dflag=
 op=""
-protocal="none"
-ports="none"
-dports="none"
+protocal="any"
+ports="any"
+dports="any"
 while getopts 'ADr:P:p:l:d:' OPTION
 do
   case $OPTION in
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
new file mode 100755
index 00000000000..bcf0c5a950f
--- /dev/null
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License.  Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# Automatically generated by addcopyright.py at 04/03/2012
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s: (-A|-D)   -r <target-instance-ip>  -l <public ip address> -d < eth device>  \n" $(basename $0) >&2
+}
+
+#set -x
+
+static_nat() {
+  local op=$1
+  local publicIp=$2
+  local instIp=$3
+  local op2="-D"
+  local tableNo=${ethDev:3}
+
+  logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
+  instance ip=$instIp  op=$op"
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  [ "$op" == "-A" ] && rulenum=1
+  [ "$op" == "-A" ] && op2="-I"
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op  PREROUTING -i $ethDev -d $publicIp -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  # add mark to force the package go out through the eth the public IP is on
+  (sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
+           --set-mark $tableNo &> $OUTFILE ||  [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op2 POSTROUTING -i $ethDev -s $instIp -j SNAT \
+           --to-source $publicIp &>> $OUTFILE )
+  result=$?
+  logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
+  if [ "$op" == "-D" ]
+  then
+    return 0
+  fi
+  return $result
+}
+
+
+
+rflag=
+lflag=
+dflag=
+op=""
+while getopts 'ADr:l:d:' OPTION
+
+do
+  case $OPTION in
+  A)    op="-A"
+        ;;
+  D)    op="-D"
+        ;;
+  r)    rflag=1
+        instanceIp="$OPTARG"
+        ;;
+  l)    lflag=1
+        publicIp="$OPTARG"
+        ;;
+  d)    dflag=1
+        ethDev="$OPTARG"
+        ;;
+  ?)    usage
+        unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+OUTFILE=$(mktemp)
+
+static_nat $op $publicIp $instanceIp
+result=$?
+unlock_exit $result $lock $locked