Looks like your router doesn’t support Passive FTP ALG – (“Application Layer Gateway”) so it’s not translating that PASV instruction to use your outside address.
Some routers do, some don’t – and finding documentation on which do and which don’t is darn near impossible.
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#PASVFirewallProblems
Only option I know of for you is to modify the FTP configuration in the Duo to specify your outside address… and that’s got its own problems if your outside address changes…
