Cisco Defense Orchestrator (CDO) offers users the ability to manage ASAs using a command-line interface (CLI). Users can send commands to a single ASA or to multiple ASAs simultaneously. The CLI feature is currently only available for use with ASA devices. This article describes sending CLI commands to a single ASA.
Note: For detailed ASA CLI documentation, see ASA Command Line Interface Documentation.
How to enter commands
A single command can be entered on a single line or several commands can be entered sequentially on several lines and CDO will execute them in order as a batch. The following example sends to the ASA a batch of commands which creates three network objects and a network object group that contains those network objects.
If you enter a very long command, CDO attempts to break up your command into multiple commands so that they can all be run against the ASA API. If CDO is unable to determine a proper separation in your command, it will prompt you for a hint on where to break the list of commands. For example:
Error: CDO attempted to execute a portion of this command with a length that exceeded 600 characters. You can give a hint to CDO at where a proper command separation point is by breaking up your list of commands with an additional empty line between them.
If you receive this error:
- Click the command in the CLI history pane that caused error. CDO populates the command box with the long list of commands.
- Edit the long list of commands by entering an empty line after groups of related commands. For example, add an empty line after you define a list of network objects and add them to a group like in the example above. You may want to do this at a few different points in the list of commands.
- Click Send.
Using the ASA CLI on a Single Device
- Open the Devices & Services page.
- Search for and filter the device list for the ASA you want to manage using the command line interface and select it.
Note: Make sure that the device you choose is reachable and synced. Only the following commands are allowed when the device is not synced: show, ping, traceroute, vpn-sessiondb, changeto, and dir.
- In the details pane for the device, click Command Line Interface .
- Enter your command, or commands, in the top "command pane" and click Send. ASA's responses to the command are displayed in the "response pane."
Work with Command History
After you send a CLI command, CDO records that command in the history pane on the Command Line Interface page. You can rerun the commands saved in the history pane or use the commands as a template:
- On the Devices & Services page, select the device you want to configure.
- Click Command Line Interface.
- Click the Clock icon to expand the history pane if it is not already expanded.
- Select the command in the history pane that you want to modify or resend.
- Edit the command in the command pane and click Send. CDO displays the results of the command in the response pane.
Note: CDO displays the Done! message in the response pane in two circumstances:
- After a command has executed successfully without errors.
- When the command has no results to return. For example, you may issue a show command with a regular expression searching for a certain configuration entry. If there is no configuration entry that meets the criteria of the regular expression, CDO returns Done!.