My first take on something like that is always traceroute. Did you try that locally and also from remote ?
Did you try to capture what's happening, when u try to connect to your local interface 192.168.20.2 using tcpdump ?
Same goes for, did you try to reach 192.168.20.2:ssh remotely, for instance from 192.168.20.1 ?
What is the bigger picture of this configuration ? You mentioned the host is doing NAT and there is also a VLAN involved. Usually NAT indicates that your host is a router and if a router is connected to a VLAN the port is in trunk mode, which means all packages are tagged by the switch with their appropriate VLAN ID, which also means that there usually needs to be some configuration on the router as well. You also mentioned WAN which usually indicates where the default route is pointing, on the other hand you want that there is a second "default" route to a network behind 192.168.20.1, which brings me back to my initial question for this paragraph. ?
The last thing for debugging purpose, I would recommend, is to disable the firewall. ?
Edit:
I forgot to mention regarding your sshd configuration. There are four options here:
Option A)
Listen 0.0.0.0
Option B)
Listen 192.168.20.2
Listen 203.1.1.7
Option C)
Listen 192.168.20.2
Option D)
Listen 203.1.1.7
Option A and Option B are the same. A combination of Option A) with any of the other options (B, C, D), I cannot recommend.
Did you try to capture what's happening, when u try to connect to your local interface 192.168.20.2 using tcpdump ?
Code:
$ tcpdump -i igb1 host 192.168.20.2 and port sshSame goes for, did you try to reach 192.168.20.2:ssh remotely, for instance from 192.168.20.1 ?
What is the bigger picture of this configuration ? You mentioned the host is doing NAT and there is also a VLAN involved. Usually NAT indicates that your host is a router and if a router is connected to a VLAN the port is in trunk mode, which means all packages are tagged by the switch with their appropriate VLAN ID, which also means that there usually needs to be some configuration on the router as well. You also mentioned WAN which usually indicates where the default route is pointing, on the other hand you want that there is a second "default" route to a network behind 192.168.20.1, which brings me back to my initial question for this paragraph. ?
The last thing for debugging purpose, I would recommend, is to disable the firewall. ?
Edit:
I forgot to mention regarding your sshd configuration. There are four options here:
Option A)
Listen 0.0.0.0
Option B)
Listen 192.168.20.2
Listen 203.1.1.7
Option C)
Listen 192.168.20.2
Option D)
Listen 203.1.1.7
Option A and Option B are the same. A combination of Option A) with any of the other options (B, C, D), I cannot recommend.