We do not have enough information yet to be able to answer questions about what you might need to add or remove from the configuration. You have provided the config of the 1921 but we have no information about the home router and what it is doing. I do have some comments and questions:

- the 1921 does have an appropriate static default route and does have address translation configured. So traffic from the 1921 should be able to access the Internet.

- the configuration shows that G0/2 will get its IP address using DHCP. Is the home router assigning an IP? What is the IP?

- your static route for 192.168.2.0 just says go out G0/2 but does not specify a next hop. That is not a best practice but it will work if the home router supports proxy arp on its interface connecting to 1921. Can you verify that the home router does support proxy arp on that interface (where it is using DHCP to assign addresses)?

- since G0/2 will get its IP via DHCP any route on home router would not be able to specify a next hop. So 1921 would need to support proxy arp. Use show ip interface G0/2 to verify this.

- we do not have any information about how the home router is set up. Would we be safe to assume these things?

# home router does run DHCP on its WAN interface

# home router does support proxy arp on its WAN interface

# home router has an IP address in 192.168.2.0 on its LAN interface

# either home router is using DHCP on its LAN interface or PC1 is manually configured (and if so that PC1 has the correct default gateway)

# home router has a default route configured that will send traffic to 1921 (required to get access to Internet) and home router might have a route for the 192.168.0.0 network

Depending on the factors that I have identified it is quite possible that the PCs would be able to ping each other and would be able to access the Internet without requiring changes in your configuration on 1921.

Hello,

change the default route to:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

1. in yor diagram DLC also internet ? (do you have 2 internet connection) or just DLC as Wifi router ?
DLC is supposed to get the internet connection from 2921 G0/2

2. Only out going traffic to internet using G0/0 right ?
Yes. I dont want remote access to my network. That connection is only for internet access.

3. You have configured G0/2 DHCP what IP address you get from DLC ? instead you can configure point to point to Link ?
When I connect that DLC Internet port to G0/2, no IP is given. When I connect to an Ethernet port on DLC, I get an IP address in the network 192.168.2.0/24

4. the 1921 does have an appropriate static default route and does have address translation configured. So traffic from the 1921 should be able to access the Internet.
Yes, the cisco router and everything on G0/1 has internet access.

5. the configuration shows that G0/2 will get its IP address using DHCP. Is the home router assigning an IP? What is the IP?
When I connect that DLC Internet port to G0/2, no IP is given. When I connect to an Ethernet port on DLC, I get an IP address in the network 192.168.2.0/24

6. your static route for 192.168.2.0 just says go out G0/2 but does not specify a next hop. That is not a best practice but it will work if the home router supports proxy arp on its interface connecting to 1921. Can you verify that the home router does support proxy arp on that interface (where it is using DHCP to assign addresses)?
Sorry, I'm not sure about this.

7. since G0/2 will get its IP via DHCP any route on home router would not be able to specify a next hop. So 1921 would need to support proxy arp. Use show ip interface G0/2 to verify this.

G0/2 does not get IP address when connected to WAN port on home router.

R1#show ip interface G0/2
GigabitEthernet0/2 is up, line protocol is up
  Internet address will be negotiated using DHCP
  Broadcast address is 255.255.255.255
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
  Output features: NAT Inside, Common Flow Table, Stateful Inspection, NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

8. home router does run DHCP on its WAN interface
The home WAN port can get an IP via DHCP or I can specify manually. But like I said, when I connect that DLC Internet(WAN) port to G0/2, no IP is given. When I connect to an Ethernet(LAN) port on DLC, I get an IP address in the network 192.168.2.0/24

9. home router does support proxy arp on its WAN interface
Not sure how to confirm this.

10. home router has an IP address in 192.168.2.0 on its LAN interface
Yes.

11. either home router is using DHCP on its LAN interface or PC1 is manually configured (and if so that PC1 has the correct default gateway)
IP address assigned via DHCP

12. home router has a default route configured that will send traffic to 1921 (required to get access to Internet) and home router might have a route for the 192.168.0.0 network
I have not specified routes on the home router.

When I connect G0/2 to LAN port of home router, G0/2 gets an IP address via DHCP. 1921 is then able to ping the home router on 192.168.2.1. But PC0 is not able to ping. Also, PC1 does not have internet access.

After some messing around, I am able to ping from the home router network (192.168.2.0/24) to the 2921 network (192.168.0.0/24). But not the other way. Isn't that weird?

I thought if you can ping from A to B, then should be able to ping from B to A. I have verified that the devices I am pinging, do reply when pinged from the same network.

So now it looks like the home router is all configured. Except that there is still no internet access. Which I can live with because I am using the home router to connect IoT devices. 

If you are wondering why I am going to all this length and not just using a WLC and a couple of APs. We I do have a WLC and 2 APs. but some IoT devices will just not connect to the WLC WiFi. I have tried to figure that out for more than a year and failed. Those devices have no problem connecting to the home router what so ever.

Below is my new config for the 2921

R1#sh run
Building configuration...

Current configuration : 2054 bytes
!
! Last configuration change at 06:22:51 UTC Sat Sep 5 2020 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 4 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
ip cef
!
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce
!
ip domain name home.com
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2921/K9 sn FGL1813118M
!
username admin privilege 15 secret 4 xxxxxxxxxxxxxxxx
!
redundancy
!
ip ssh version 2
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description -Ethernet WAN-
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list IoT interface GigabitEthernet0/2 overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IoT
 permit 192.168.2.0 0.0.0.255
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255
!
control-plane
!
line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

The home router WAN port has been given a static ip of 192.168.3.2/24

Thanks. This is what I have now. But I am still not able to ping from 2921 to home router. I can ping from home router to G0/2 and any other devices connected on 192.168.0.0/24

Current configuration : 1971 bytes
!
! Last configuration change at 07:11:17 UTC Sun Sep 6 2020 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
ip cef
!
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce
!
ip domain name home.com
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2921/K9 sn FGL1813118M
!
username admin privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
ip ssh version 2
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description -Ethernet WAN-
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard NAT
 permit 192.168.0.0 0.0.255.255
!
control-plane
!
line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Thanks for the reply. I did make the changes but still not working.

Below is the screenshot of the Advanced Filtering tab.

I tried disabling rule number 3 but nothing changes.

Regards,

And here is the log file.

Awesome. Thanks a lot Georg. That seems to be working. Instead of any-any, I allowed 192.168.0.0/24 to 192.168.2.0/24

Thank you very much.