This is two questions.
For Q2, using advanced ACL to specify IP adresss.
For example, permit ssh user(192.168.0.1/32) access lookback0(1.1.1.1/32)
#
acl number 3000
rule 5 permit ip source 192.168.0.1 0 destination 1.1.1.1 0
#
user-interface vty 0 4
acl 3000 inbound
#