Solaris 11 zones, networking and blocked ports

Our Solaris admin quit. We are building a new system. I have been tasked to help. I have a Solaris box with a global zone and 15 non-global zones. Some NGZs can ssh to other NGZ. Many cannot ssh at all. I can zlogin from GZ to all NGZ. Here is how I have tried to troubleshoot:

`
1) copy a master hosts file to all zones
2) ssh -vvv somehost* (for problem zones this hangs at " debug2: ssh_connect: needpriv 0  debug1: Connecting to x.x.x.x [x.x.x.x] port 22."
3) telnet somehost 22  (for problem zones this never connects)

` One last caveat: I was told there was a firewall NGZ built in the original design that was never implemented, but no way to prove it. How can I track down the source blocking these ports