This problem occured also for me.
I solved it without using "access-class" in "line vty 0 4" - i made restriction to ssh through policy-map and assined it to zone-pair in ZBW:
object-group network SSH_NGROUP
host x.x.x.x
host y.y.y.y
!
ip access-list extended SSH_OUSIDE
permit ip object-group SSH_NGROUP any
!
class-map type inspect match-all SSH_ACL_CMAP
match protocol ssh
match access-group name SSH_OUSIDE
!
class-map type inspect match-any UNTRUST_SELF_CMAP
match class-map SSH_ACL_CMAP
!
policy-map type inspect UNTRUST_SELF_POLICY
class type inspect UNTRUST_SELF_CMAP
inspect
class class-default
drop
!
zone-pair security UNTRUST-SELF source UNTRUST destination self
service-policy type inspect UNTRUST_SELF_POLICY
