If you have another IP to use for SNAT, you could setup an incoming VIP using a SNAT and an outgoing VIP using the incoming SNAT address using the incoming VIP as its SNAT. Both VIPs would be setup as listening on ANY since you won’t know what port the passive client will use for the data connection and you won’t know which port the server will send to on the active connection. Basically you would be forwarding all ports hitting your incoming VIP to the ftp pool, the trick is listening for the new session the server creates in active ftp, which the outbound vip would forward all ports hitting the outbound vip SnAT’d back to the incoming VIP address. Not pretty but it should work. If your handy with irules, you may be able to snoop the TCP stream and lock the traffic down by client address, server address or both and drop all others as an added layer of security.
My .02 cents anyway...