I want to protect SSH access to our live web server from all IP's except our office static IP.
There are some employees who connects to this live server from their dynamic IP's. So, it is not always possible for me to change in the iptables rule in live server whenever the dynamic IP of the employee changes.
I tried to put them in office VPN and allowed only SSH access from office IP but the office connection is slow in compared to our employee's private internet connection, moreover it adds an extra overhead to our office network.
Is there any way I can solve this problem ?
I would recommend losing the IP restriction and require both key based and password based authentication to login. I think this would get you better security in the end and then you won't have to worry about dynamic IPs.
You might want to consider port knocking http://en.wikipedia.org/wiki/Port_knocking and http://www.zeroflux.org/projects/knock to allow the opening of specific dynamic IPs for a limited time and revoking them later.
I haven't used this method personally, but there are some good looking examples on the site.
How many staff with dynamic IPs? If a small number, you could just pay for them to have static IPs and you keep your security policy intact and config simple. I'm sure you already considered that.
If you are willing to loosen some policies, you could in theory find out your staff ISP subnets and limit access to those, which may reduce exposure significantly, although I think this would be an unusual approach.
If you are serious about securing SSH you should be looking at key logins only, with some requirements that the keys are password protected, and possibly even expiring them on a scheduled basis.
Don't give your SSH users root access. Use sudo to give access to root type commands. Use logwatch or similar to keep an eye on what is going on.
Also, this is a web server - your default config of SSH is probably far more secure than other aspects of the system you are deliberately exposing to the internet, even if a compromise would be more serious. Don't forget about securing the rest of the server and the code you run on it.
An excellent guide to securing a Linux server can be found here. Specifics are CentOS/RedHat, but it goes over a lot of options common to all distros.
In addition to the other suggestions, you might also consider running sshd on a non-standard port number. This won't slow down a targeted attack very long, but it will sidestep some of the automated brute force attacks that scan the Internet for hosts running sshd on port 22.
ConfigServer Firewall can be set up to automatically whitelist dynamic IPs. You'll need to setup a dynamic domain name for each client in order for this to work - some dynamic IP sites will provide you with a client-side executable that keeps the IP current. I use no-ip.com for this purpose.
Some firewall's support using DNS entries, so services like http://www.no-ip.com/services/managed_dns/free_dynamic_dns.html can be used to restrict access.
If you just want to use iptables, you could probably have something scripted to check the DNS names ( I don't think iptables supports using DNS entries to grant access. )
But Kyle has a good answer in requiring key based auth. I don't know how to require both keys, and passwords, so my method would be to require keys to access the server.