This ACE is not doing anything and can actually be removed - there is no 172.16.110.10 outside of the DMZ network, and since the original poster mentioned this is an ingress ACL ("access-group DMZ in interface DMZ"), this ACE will never be hit.
If the original poster wants to only allow the machine ws-vwright-01 to contact 172.16.110.10 on TCP port 3398 in the DMZ then an egress ACL on the DMZ interface or an ingress ACL on the inside interface that only allows this flow needs to be applied.
As it is right now the original poster can add the dynamic NAT statements that I mentioned and any machine on the inside will be able to RDP into 172.16.110.10, and this without changes to any ACL since traffic from high security interfaces going to lower security interfaces is allowed by default.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...