Your need an extended access-list accepting inbound connections for RDP, but only from some WAN address(es); e.g. assuming:
external host who needs to access your RDP port forwarding has a public IP address of AA.BBB.CC.DDD;
your internal host you want to access with RDP has an IP 10.10.10.XX and is listening for RDP connections on TCP/UDP ports 3389;
your public IP address is WWW.XXX.YY.ZZ;
you can try something like this:
ip access-list extended web-acl-RDP
remark Filter RDP from WAN
permit tcp host AA.BBB.CC.DDD host WWW.XXX.YY.ZZ eq 3389 log
permit udp host AA.BBB.CC.DDD host WWW.XXX.YY.ZZ eq 3389 log
ip policy-class Public
...
nat destination list web-acl-RDP address 10.10.10.XX
You could replace host for hostname if the domain names can be resolved by DNS.
