Description
Network Address Translation (NAT) in 3GPP networks is a function typically implemented in the Packet Data Network Gateway (PGW) in 4G or the User Plane Function (UPF) in 5G. It operates at the IP layer, modifying the source and/or destination IP addresses (and often port numbers) in packet headers as they traverse between the mobile user equipment (UE) and external packet data networks (PDNs) like the internet. The core mechanism involves maintaining a NAT binding table that maps each UE's private IP address (assigned from the mobile operator's pool, e.g., 10.0.0.0/8) and source port to a unique public IP address and port on the external interface. For outgoing packets from the UE, the NAT function replaces the private source IP and port with the mapped public ones; for incoming packets destined for the UE, it performs the reverse translation based on the destination port and IP in the packet.
The architecture integrates NAT within the data path of the user plane. In EPS (4G), the PGW acts as the anchor point and performs NAT for PDN connections that require it, often configured as part of the Packet Data Protocol (PDP) context or PDN connection establishment. In 5GC, the UPF performs the equivalent N6 point-of-presence function. Key components include the NAT mapping table (state), timers to manage the lifetime of inactive mappings, and algorithms for port allocation (e.g., Port Address Translation - PAT). Advanced forms like Carrier-Grade NAT (CGN) or Large Scale NAT (LSN) are employed to map thousands of UEs onto a single or a small pool of public IPv4 addresses, using port ranges to distinguish flows.
NAT's role is multifaceted: it conserves the globally scarce IPv4 address space by allowing many UEs to share few public addresses; it adds a layer of privacy and basic security by hiding internal network topology; and it simplifies network management for operators. However, it also introduces complexities, breaking the end-to-end principle of the internet. It can interfere with protocols that embed IP addresses in payloads (e.g., SIP, FTP) unless accompanied by Application Layer Gateways (ALGs) or techniques like NAT Traversal (NAT-T). Within 3GPP, NAT behavior and configuration are specified to ensure interoperability and predictable service delivery across different vendor equipment and network deployments.
Purpose & Motivation
NAT was adopted in 3GPP networks primarily to mitigate the exhaustion of public IPv4 addresses, a critical issue that emerged with the explosive growth of mobile internet devices. Without NAT, each UE requiring internet access would need a unique public IPv4 address, a requirement unsustainable given the limited address space. NAT solves this by allowing operators to use large private address spaces internally (RFC 1918) and map them to a much smaller pool of public addresses. This enabled the cost-effective scaling of mobile broadband services from 3G (R99) onwards.
Historically, early mobile data services had limited scale and sometimes used public addressing. As services expanded, NAT became a necessary network function. Its integration into 3GPP standards ensured a consistent, vendor-interoperable approach to address conservation. Furthermore, NAT provided incidental benefits like a basic firewall effect, as unsolicited inbound traffic without an existing mapping is typically dropped, enhancing network security. The technology addressed the limitations of simply deploying IPv6 (which has abundant addresses) by providing an immediate, backward-compatible solution while the transition to IPv6 progressed slowly. NAT's purpose evolved to also support network architectures like fixed-mobile convergence and multi-homing, where traffic from different access types is aggregated through a common gateway performing NAT.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (75 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, specific clarifications and enhancements were made to the NAT function and related addressing procedures. These included clarifications on the handling of additional IP addresses and URI assignments. Furthermore, the release introduced detailed procedures for managing the remaining IP address or prefix lifetime specifically in conjunction with SSC mode 3.
In Release 16, the key new development for the NAT function was the formal introduction and architectural support for NAT within the 5GS, as per the dedicated "Solution on support of NAT in 5GS" work item. This release specified the capability for the UPF to perform UE IP address allocation, including the associated N4 interface impacts, and expanded IP addressing options including allocation via AAA/DHCP and functional alias addressing for MCX services.
- IP addressing enhancements TS 23.501CR0746
- UE IP address Allocation by UPF: N4 impacts TS 23.501CR0931
- Addition of UE IP address Allocation by UPF TS 23.501CR0954
- UE IP address Allocation by AAA/DHCP TS 23.501CR1180
- Stateless IPv6 Address Autoconfiguration for Control Plane CIoT 5GS Optimisation TS 23.501CR1417
- Solution on support of NAT in 5GS TS 23.501CR1986
+ 24 more changes
In Release 17, enhancements to NAT-related functions included enabling NAT traversal for TNGF/N3IWF access at the layer below IPsec and providing clarifications on source and destination address settings for PMF messages. The release also introduced support for mapping from IP addressing information provided to an Application Function (AF) to the user identity, and it addressed backwards incompatibility for time synchronization in DS-TT. Furthermore, updates were made to the External Exposure of Network Capability regarding the ECS address.
- Support of functional aliases as called party address in MCPTT emergency private calls TS 23.379CR0225
- DCS providing PVS address to ONN TS 23.501CR3085
- Support of the mapping from IP addressing information provided to an AF to the user identity TS 23.501CR2385
- Media plane security when using a functional alias as target address for private MCPTT calls TS 23.379CR0256
- Correction of private call setup procedures when using a functional alias as target address TS 23.379CR0261
- NEF discovery and selection based on AF address TS 23.501CR3018
+ 7 more changes
In Release 18, key enhancements for the NAT function included explicit support for NAT exposure as defined in technical specifications 23.501 and 23.502, aligning with conclusions from the UPEAS work. The release also introduced the translation of internal-external addressing information to assist application-layer AI/ML operations and enabled functional aliases to be used as target addresses towards partner MCData systems.
- Functional alias as target address towards a partner MCData system TS 23.280CR0334
- Addressing EN related to implicit affiliation to ad hoc group alert participants TS 23.280CR0398
- Support of NAT exposure in 23.501 according to the conclusion in UPEAS TS 23.501CR3825
- Support of NAT exposure aligned with TS 23.502 TS 23.501CR4445
- DCM selection based on IP address and location TS 23.228CR1357
- MC client IP address relationship TS 23.280CR0336
+ 5 more changes
In Release 19, the NAT function was enhanced with new event exposure and subscription capabilities focused on the UE's IP address. Specifically, it introduced support for direct subscription to UPF events using a UE IP address and added the exposure of UE NAT mapping information. Furthermore, the UPF NF profile was updated to include NAT information exposure and Packet Inspection functionality.
- Address ENs in IMS AS Session Management Service TS 23.228CR1483
- Adding the NAT information exposure and Packet Inspection functionality in the UPF NF profile TS 23.501CR5420
- Enhancement of getting public UE IP address and port number TS 23.501CR5445
- Exposure enhancements for static UE IP address assignment and 5G VN group's User Plane Security Policy TS 23.501CR5492
- Supporting direct subscription of UPF event exposure using UE's IP address TS 23.501CR5540
- NAT functionality in the UPF of BH PDU Session TS 23.501CR5650
+ 10 more changes
In Release 20, the NAT function was enhanced with a new capability to provide per-subscriber Allowed MAC addresses sourced from the Unified Data Management (UDM). This introduces a more granular, subscription-based policy control for network access translation, moving beyond traditional IP address-based rules. The update leverages the verified identity information of the user to enforce these specific MAC address allowances.
- Providing per-subscriber Allowed MAC addresses from UDM TS 23.501CR6395
Explore further
Broader topics and technologies where NAT plays a role.
Defining Specifications
3GPP specifications that define or reference NAT, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 22.495 v1700 | NGN Requirements for IMS Services | Rel-7 |
| TR 22.832 vh40 | Study on cyber-physical control in vertical domains | Rel-17 |
| TS 23.179 vd50 | MCPTT Functional Architecture | Rel-13 |
| TS 23.221 vj00 | 3GPP System Architectural Requirements | Rel-19 |
| TS 23.228 vj50 | IMS Stage-2 Service Description | Rel-19 |
| TS 23.234 vd10 | 3GPP-WLAN Interworking Index | Rel-13 |
| TS 23.280 vk10 | Common Architecture for Mission Critical Services | Rel-20 |
| TS 23.334 vj00 | IMS-ALG to IMS-AGW Interface (Iq) Stage 2 | Rel-19 |
| TS 23.379 vk00 | MCPTT Functional Architecture | Rel-20 |
| TS 23.501 vk00 | 5G System Architecture Stage 2 | Rel-20 |
| TS 23.700 vk00 | XR Services Application Enablement Layer | Rel-20 |
| TS 23.701 vc00 | WebRTC Access to IMS Architecture Study | Rel-12 |
| TR 23.758 vh00 | Study on Edge Application Architecture | Rel-17 |
| TS 23.875 v1500 | Feasibility Study for Push Services Architecture | Rel-5 |
| TR 23.981 vj00 | IPv4 IMS Interworking and Migration Study | Rel-19 |
| TS 24.139 vj00 | UE-EPC Procedures for Fixed Broadband Access | Rel-19 |
| TS 24.229 vj50 | IMS call control protocol based on SIP and SDP | Rel-19 |
| TS 24.281 vj40 | MCVideo Signalling Control Specification | Rel-19 |
| TS 24.379 vj50 | Mission Critical Push To Talk (MCPTT) call control | Rel-19 |
| TS 24.523 vj00 | NGCN-NGN Interconnection Scenarios | Rel-19 |
| TS 24.820 vb00 | 3GPP-Fixed Broadband Interworking Procedures | Rel-11 |
| TS 26.236 vc00 | Packet Switched Conversational Multimedia Protocols | Rel-12 |
| TS 26.506 vj20 | Real-Time Media Communication Architecture for 5G | Rel-19 |
| TS 26.804 vj10 | 5G Media Streaming Extensions Study | Rel-19 |
| TR 26.806 vi00 | Technical Report on Smartly Tethering AR Glasses | Rel-18 |
| TR 26.923 vj00 | Study on IMS-based Telepresence Media Handling | Rel-19 |
| TR 26.998 vj00 | 5G AR/MR Glasses Integration Study | Rel-19 |
| TS 28.314 vk00 | Management and Orchestration - Plug and Connect | Rel-20 |
| TS 29.139 vj00 | H(e)NB - SeGW Interface Specification | Rel-19 |
| TS 29.212 vj00 | Gx/Gxx/Sd/St Diameter Protocol | Rel-19 |
| TS 29.238 vj00 | H.248 Profile for IBCF-TrGW Interface | Rel-19 |
| TS 29.334 vj00 | IMS-ALG to IMS-AGW Interface Protocol | Rel-19 |
| TS 29.421 v810 | IMS Interworking with External IP Networks | Rel-8 |
| TS 29.564 vj50 | Nupf Service Based Interface Protocol | Rel-19 |
| TS 29.828 vc10 | IMS Media Plane Security H.248 Profiles Study | Rel-12 |
| TS 29.839 vb00 | H(e)NB - SeGW Interface Specification | Rel-11 |
| TS 32.501 vj00 | Self-Configuration of Network Elements Concepts | Rel-19 |
| TS 33.128 vj50 | 3GPP TS 33.128: Lawful Interception Protocols | Rel-19 |
| TS 33.203 vj10 | IMS Security Specification | Rel-19 |
| TS 33.210 vj20 | UMTS Security for IP Networks | Rel-19 |
| TS 33.234 vj00 | 3GPP-WLAN Interworking Security | Rel-19 |
| TS 33.320 vj00 | H(e)NB Subsystem Security Architecture | Rel-19 |
| TR 33.739 vi10 | Study on security enhancement of support for | Rel-18 |
| TS 33.749 vj00 | Study on security aspects of edge computing enhancement | Rel-19 |
| TS 33.822 v1800 | Security Architecture for Inter-Access Mobility | Rel-8 |
| TS 33.871 vc00 | Security for WebRTC IMS Client Access | Rel-12 |
| TR 33.978 v1800 | Interim Security for Early IMS | Rel-8 |
| TS 36.579 | 3GPP TR 36.579 | R99 |
| TS 37.579 vi40 | Mission Critical services conformance testing | Rel-18 |
| TS 44.318 vj00 | Generic Access Network (GAN) Interface Procedures | Rel-19 |