The zone-pair security zone-pair-name [source source-zone-name | self] destination [self | destination-zone-name] command is used to create the zone pair on the ZBF.

The service-policy type inspect policy-name command attaches the policy to the zone pair:

R1(config)#zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone 
R1(config-sec-zone-pair)#service-policy type inspect ccp-permit-dmzservice
R1(config-sec-zone-pair)#exit
R1(config)#zone-pair security ccp-zp-in-out source in-zone destination out-zone 
R1(config-sec-zone-pair)#service-policy type inspect ccp-inspect
R1(config-sec-zone-pair)#exit
R1(config)#zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone 
R1(config-sec-zone-pair)#service-policy type inspect ccp-permit-dmzservice
R1(config-sec-zone-pair)#exit
R1(config)#zone-pair security ccp-zp-self-out source self destination out-zone 
R1(config-sec-zone-pair)#service-policy type inspect ccp-permit-icmpreply
R1(config-sec-zone-pair)#exit