When using passive mode the return ip address from the server can be a NAT address which cannot be accessed by clients on the the other side of the firewall. A suggestion is an option to use the address on which the client initiates the connection instead of the address returned by the PASV command (obviously retain the port).
For example a connection to a server may return 192,168,0,5,3,224 - the external address of the server will definitely not be in the 192.168.0 range if the connection is over the Internet. If an option is set to use the outgoing address for the PASV connection the 192,168,0,5 would be ignored and the original outbound address used.
We picked up a problem that Filezilla was able to circumvent and I suspect that this is how they did it.