[dguinn]

Ok, again, silly question here, any chance that you need a outbound NAT rule for his particular IP/Range, and be sure it's placed BEFORE the 10021 port rule, so that you can be sure that the outbound packet is excluded from the blanket ANY translation?

e.g.:

source,dest,port...source,dest,port
problem_ip,EXT_ftpsvr,ftp...orig,INT_ftpsvr,10021
INT_ftpsvr,problem_ip,10021 EXT_ftpsvr,orig,ftp
orig, EXT_ftpsvr,10021...orig,INT_ftpsvr,orig
INT_ftpsvr,orig, 10021...EXT_ftpsvr,ANY,orig

I know, this should be stateful, but it might warrant a look since it's a complex TCP type protocol.