well, you can try fiddling with DenyUsers in sshd_config:
DenyUsers
This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form [email protected] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns.

You can try in two ways, the first way is using the hosts.allow/hosts.deny files, the second way is using iptables.
In the hosts.allow file, you must specify allowed, for example:
sshd: xxxx/yyyy: allow
xxxx - ip
yyyy - mask
and in hosts.deny:
sshd: ALL: deny

Elementary Watson!
man sshd_config
for
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. '*' and '?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form [email protected] then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
i.e.
AllowUsers vasya petya [email protected]

No OS specified...
On FreeBSD this can be resolved in login.conf

It's probably worth running two SSH servers, and setting up one for the local network, the second for the external one. Run external SSH on a different port, and on the router (or in the firewall) set up broadcasting from the external interface from port 22.