since we do not know the source IP/Network we have to allow all source IPs. RDP uses port TCP/3389 - - - - - -NOTE: This is not a CCNA Exam Level question, this is an ACL that would be configured on a something like a: Cisco Adaptive Security Appliance (ie ASA5505) - - - HOWEVER, it is good exam-skill practice, don't freak or panic, attempt logically find the only possible solution: (FYI: "outside_in" is the named-ACL "name" on these devices, that is all they use, they don't have: "numbered-ACL's") - - - - - - - FIRST STEP: the beginning and ending of every choice is exactly the same ( "access-list outside_in permit" -and- "3389"), SO FOCUS ON WHAT'S DIFFERENT, - - - - although not required, you 'should know' that Microsoft RDP is a VERY WIDELY USED Remote-Desktop-Application/Protocol, and if you have any inkling about how it works, you should intuitively KNOW, that it cannot use icmp, or connectionless- UDP = = > AND that eliminates half of the choices - - - - - - - - - - - - - Both the remaining choices work on 'permitting tcp', you should correctly assume that these ACL's follow all other ALC logic [Source]-First, [Destination]-second; - - - - - - - - one choice permits a specific host -to- 'any' destination, -and- the other matches the question's requirement: unknown/any Source -to- a specific Host/Destination (the MS-RDP-Connection ip) [Sidebar note: TCP uses a three-way handshake to connect and authenticate the client via Kerberos]