# Access from External Network without NAT --- #### Access from LAN to External Network without NAT If necessary (as a rule, when SafeUTM is located inside a LAN, and not on the border with the Internet), it is possible to organize direct access to some resources of networks external to SafeUTM without using NAT. For example, let's analyze the firewall configuration for non-NAT access to IP address: **10.0.0.1** (in general, it can also be a network or a range of IP addresses). 1. Turn off the parameter **Automatic local SNAT** in **Traffic Rules -> Firewall.** 2. In the firewall, in the SNAT table, create a rule with the action **Don't use SNAT** for this destination IP address. [![1. Access from External Network without NAT.png](https://docs.safedns.com/uploads/images/gallery/2022-09/scaled-1680-/cjoGHtCboAzPQ4xx-1-access-from-external-network-without-nat.png)](https://docs.safedns.com/uploads/images/gallery/2022-09/cjoGHtCboAzPQ4xx-1-access-from-external-network-without-nat.png) 3. With the next rule, create SNAT rules for your local network (so that other hosts work via NAT). [![2. Access from External Network without NAT.png](https://docs.safedns.com/uploads/images/gallery/2022-09/scaled-1680-/YveuHAV2J0gAsg1K-2-access-from-external-network-without-nat.png)](https://docs.safedns.com/uploads/images/gallery/2022-09/YveuHAV2J0gAsg1K-2-access-from-external-network-without-nat.png) **The final firewall rules look like this: [![3. Access from External Network without NAT.png](https://docs.safedns.com/uploads/images/gallery/2022-09/scaled-1680-/4oB6FUCN2DzCAXlq-3-access-from-external-network-without-nat.png)](https://docs.safedns.com/uploads/images/gallery/2022-09/4oB6FUCN2DzCAXlq-3-access-from-external-network-without-nat.png)**

On LAN devices, SafeUTM must be used as the main gateway, or the necessary route to external IP addresses through SafeUTM must be prescribed. Also, LAN devices must be authorized on UTM. On devices from an external network (in relation to SafeUTM), SafeUTM must also be used as the main gateway, or there must be a route to the local network via SafeUTM.