If you are looking for a box on which to terminate multiple VPN tunnels, the concentrator is the device that you should opt for. Though the PIX can handle multiple VPN tunnels (numbers depend on model) it is primarily focussed on perimeter security. If I were you, for the centeral site I would have both the PIX and the concentrator. The concentrator would act as the tunnel endpoint for the VPN tunnels while the PIX would handle internet traffic which is not IPSec tunneled. This design is necessary considering that the site you are protecting is the all important centeral hub. Also, such a design is important from the scalability point of view and will solve a lot of throughput issues that you might run into otherwise. For the remote sites, a PIX by itself should be sufficient provided that the number of tunnels being terminated is not too high. Specifically, wrt the 501, the maximum number of concurrent VPN peers allowed are 5 and maximum throughput is 10Mbps/6Mbps/3Mbps (unencrypted/DES/3DES).