By default if you want to allow rdp access to a machine inside the PIX from internet, you need to have static defined for nat and an access-list to allow that traffic.

For example, if we want to do this with the ip assigned on the outside interface, we’d do it this way;

static (inside,outside) tcp interface 3389 <PrivateIP_Internal_Desktop> 3389
access-list <Name> permit tcp any interface outside eq 3389
access-group <Name> in interface outside

Where <Name> would be replaced by the acl which you already would be having and in the acl, you can replace ‘any’ with ‘host x.x.x.x’ if you want to allow access from a specific ip in the internet.

The same if you want to do using an available public ip address which is not assigned on the outside interface then you do it this way;

static (inside,outside) tcp <Public_IP> 3389 <Private_IP> 3389
access-list <Name> permit tcp any host <Public_IP> eq 3389
access-group <Name> in interface outside