You can use conduits. I know everyone likes to use ACLs but conduits work great for me. Just add the following line and it should work. This will allow any thing on the outside network to get to public ip 195.x.x.x accross port 3389. Then your static command will push it to your internal IP.
here is an example:
conduit permit tcp host 195.x.x.x eq 3389 any