Before we get started, you may want to refer to FTP Connections and Firewalls, a node I wrote a while ago, for details on active and passive mode.

There are four scenarios:

1) Neither end is behind a firewall.

2) If the client end is firewalled,
you need to use passive mode, and
the firewall must allow outgoing connections to and from random ports.

3) If the server end is firewalled,
you need to use active mode,
the firewall must allow incoming connections to port 21 from random ports, and
the firewall must allow outgoing connections to and from random ports.

4) If both ends are behind firewalls, you screwed.

Alternatively, all of the above can potentially be solved by running a FTP proxy on the firewall may be an alternate solution. I'm not very familiar with their workings, but I could take an educated guess if you desire.

There's two reasons for the above.

1) FTP servers/clients usually use a random (i.e. system provided) port for the server end of the data connection (i.e. client for active, server for passive), which is a big no-no for firewalls.

2) FTP sends an IP address in the data stream, which is a big no-no for NAT. [*]

They both prevent a sever behind the NAT router from using passive mode, and they both prevent a client behind a NAT router from using active mode.

[*]

Some NAT routers compensate for this in part or in whole. For example, the Linksys BEFSR41 (4 port wired NAT "router" switch) fixes active mode when communicating with outside servers on port 21.