The interface you connect to should have host-inbound-traffic system-service ssh enabled. If you pass through another zone to reach this interface you should have a policy to allow you to reach the destination ip. Ssh should be enabled as a system service. That's all I can think of.