If you have a Cisco device in the network, use it to examine packets as they pass to determine what port numbers PASV traffic uses. There are ways of doing this with a network card in promiscuous mode but they are a bit close to hacking tools you do not want to tempt anybody with.
Set your Cisco login session to record. At the prompt, enter:
Debug IP Packet
This puts every packet on the screen. You can simply enter NO debug ip packet to cancel.
Examine the IP traffic that PASV uses and extract all the port numbers, then open only those port numbers. Test. Adjust.