i think one of the reason why your configuration doesnt work is just because of the Cisco Packet tracer limitation. I’ve experience the same but in my case, its ip-helper address. For some reason I don’t know why it doesn’t work but on actual application my configuration is 100% working.
My suggestion is, you should try to accomplish your configuration on real devices.
I haven’t tried to use your config on packet tracer because of my busy schedule but if I have the time, I’ll just update my answer.
Couple of issues right off the bat:
1) the lines “permit tcp 192.168.1.10 0.0.0.255 host 192.168.20.254 eq 21″ and “permit tcp 192.168.2.10 0.0.0.255 host 192.168.20.254 eq 21″ are wrong – Web access would be on port 80, not 21 (FTP)
2) the section “permit tcp 192.168.1.10 0.0.0.255..” would be better written as “permit tcp 192.168.1.0 0.0.0.255″
3) the line “R2(config-ext-nacl)#deny ip any any” = really unnecessary: all Cisco ACLs have the “implicit deny” at the end of every ACL by default
Outside of those, any diagraming would be helpful…