Without digging into the inner works of the Qubes firewall, you can add a cron job in dom0 to run something like:
qube="YOUR_QUBE_NAME"; qvm-ls --running --raw-list | grep -q "^${qube}$" && qvm-firewall --reload ${qube} >/dev/null 2>&1
which will check if YOUR_QUBE_NAME is running, and if yes, it reloads its firewall rules.
It’s not very resource-intensive, so you can run it every 2-3 minutes… or 5. I don’t know how often the lastpass IP changes and how often you use it.