Problem solved! ChatGPT skirted around the solution, and should have
...
Cause: netmask on the SERVER was wrong, resulting in the server trying
to use the firewall as a router. Ping worked in this case, but ssh
wouldn't. (netmask on server was 255.255.255.0, the correct mask is
255.255.252.0).
This was the result of my entering the netmask as a bit count, not as a
bit field, and I was off by 2 bits.
Fixed, now all works!
Thanks for sharing the root cause of your issue!
Netmask has tripped many of us.
-- Arun Khan