I have an ASR router with multiple IP interfaces. Is there any way to restrict SSH access to the management interface only (gigabit 0)? As of now the router is reachable via any of the IP interfaces. I know I can create access-lists an apply it to the interfaces, however there's a limitation in which the destination address in the ACL is not checked, therefore I'd be denying any SSH traffic ingress.
I believe that you are talking about trying to use access-class on the vty with an extended access list. And it is true that using an extended access list that way does not check the destination address. I believe that there is a solution for your requirement using control plane policing, which I assume is supported on your platform. Here is a discussion about that which I hope you will find helpful:
Unable to assign a service-policy to the control plane, and unable to set the control-plane management-interface to the Gigabit0 interface.
When I found that discussion I hoped that it would be the solution for your requirements. Sorry that it does not work on your ASR. But the more I look at the documentation for control plane policing the less confident I am that it was the optimum solution. Perhaps what we are looking for is the management plane protection. I hope this link will provide helpful information about this: