This page describes the differences between (3) routers, a Pix 501, a Zyxel 2X and a Linksys WRT54G. This page is not intended to be a condemnation or endorsement of any one product but to illustrate the differences between SPI devices. The devil is often in the details and this page hopefully describes those details.

The Zywall 2X has a wizard that creates a default working configuration easily and quickly. The Linksys opens to a page that allows you to enter the correct data quickly. The Pix has a default configuration that is said to work in most instances, in my version of PixOS I seem to remember a setup command that would run a text based wizard.
Either the Zywall or the Linksys could be configured with nothing more than the ISP's instructions and the knowledge that the router is replacing a computer as the link to the ISP. If the Pix default implementation won't work then some networking knowledge will be required.

The Linksys has a simple off/on switch for its firewall. The Zywall and Pix both have packet filters that are applied to the inside and outside interfaces. The Pix also has ASA (Adaptive Security Algorithm) that can perform application level inspection on some protocols, and has a pretty large set of intrusion detection signatures built in. The Pix can also allow or block certain ICMP types with a simple access-list command, a custom packet filter using bit matching has to be built to do the same thing with the Zyxel. In reality the Zyxel is probably easier to get a secure yet functional configuration because of its graphical web tool unless you already know the Cisco command syntax and IP networking.
Both the PIX and Zywall have built in internal log viewers and the ability to export logs to a syslog server. The addition of Link Logger to the Zywall makes sorting out logs painless.

All three routers will work identically with a single IP address assigned to the Wan interface. External ports can be mapped to a single internal computer at any given time. Using a tool called port triggering you could play Counterstrike for example from any computer in the house, but only from one computer at a time. Port 80 for web service can be mapped to only one internal computer. The PIX and Zywall can also support multiple IP addresses on the Wan side as well as the Lan Side. They allow one to one mapping of internal to external IP addresses, mapping of multiple internal IP's to a single external IP or both methods at the same time. This allows multiple web servers, mail servers or gaming computers at once while allowing the rest of the computers on the LAN to share a single external IP address.

All three routers will support VPN pass through. The Zywall and PIX can act as an IPSEC endpoint. The Pix can also act as a Microsoft PPTP VPN end point. IPSEC is generally believed to be the more secure method, but Microsoft clients are ubiquitous. The advantage of a router to router VPN is that all clients behind one router can see all clients behind the second router. The security decisions are up to you.